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1.  Introduction  and  Notation 

In  this  paper  we  present  a  mathematical  model  called  a  memory  structure,  and  define  a 
computation  theory  over  such  structures.  This  computation  theory  provides  a  semantics  for 
first-order,  lexically  scoped  Lisp-like  languages  and  we  use  this  as  a  basis  for  expressing  and 
proving  properties  of  a  variety  of  programs  that  destructively  alter  the  contents  of  memory. 
Since  we  have  chosen  to  work  in  a  Lisp-like  world,  our  subject  matter  is  particularly  relevant 
to  the  Lisp  programmer.  The  main  example  in  this  paper  is  a  proof  of  the  correctness  of 
the  Robson  copying  algorithm,  [R].  This  algorithm  copies  possibly  cyclic  Lisp  style  S- 
expressions  using  bounded  storage  and  illustrates  how  destructive  memory  operations  can 
be  used  to  write  fast  efficient  programs.  The  paper  is  organized  as  follows:  In  section  two 
we  describe  the  cleiss  of  memory  structures  and  introduce  Maea:p>  the  S-expression  memory 
structure  as  a  particular  example.  In  section  three  we  describe  a  computation  theory  over 
these  structures  that  corresponds  to  a  Lisp-like  programming  language.  In  section  four  we 
study  IMIaeap  iu  more  detail,  developing  the  concepts  one  usually  finds  in  Lisp-like  languages. 
Section  five  gives  four  simple  correctness  proofs  of  typical  Lisp  programs  both  destructive 
and  otherwise.  The  leist  two  sections  deal  with  the  Robson  copying  algorithm  and  related 
programs. 

We  finish  off  this  section  by  describing  some  of  our  notation.  We  use  the  usual  notation 
for  set  membership  and  function  application.  Let  D,  Do>  Dll  •  •  -  l^n  he  sets,  then  Do®ID>i  is 
the  (disjoint)  union  of  Dq  and  Di.  We  only  use  0  applied  to  disjoint  sets,  thus  it  is  mainly 
a  matter  of  empheisis.  Do  ®  ®  Dn-i  is  the  set  of  n-tuples  with  element  from  Di  for 

i  <  n.  We  write  D^”)  for  Do<S>.  ■  .<8)Dn-i  when  each  D;  is  D.  D*  is  the  set  of  finite  sequences 
of  elements  of  D . 

D*  =  IJ  D^'‘> 

Some  notation  for  sequences  follows,  o  is  the  empty  sequence,  the  unique  element  of 

D(°)  for  any  domain  D.  For  d,do,. . .  ,dn-i,do,. . .  €  D,  the  sequence  of  length 

n  with  element  di  for  i  <  n  is  written  [do, •  •  •  Let  v  =  [do,. . .  ,d„_i],  u  = 

[do,. . .  ,d(,j_i]  and  i  <  n  then  |u|  is  the  length  of  v  while  vj.,-  is  the  element  of  v, 

namely  di.  vou  =  [do, ... , d„_i ,do, . . .  ,d!^_i]  is  the  concatenation  of  v  and  u.  We  identify 
df 

d  with  the  singleton  sequence  [d].  Note  that  {uov)  ow  =  uo  (vow)  and  [  ]  =  □, 

Ptj  D  is  the  domain  of  finite  sets  from  D.  [Do  Di]  is  the  set  of  total  functions  from 
Do  to  Di,  and  [Do  Di]  is  the  set  of  partial  functions.  If  /i  6  [Do  Di],  then  6^  is  the 
domain  of  n  and  is  its  range.  For  do  €  Do,di  £  Di,  and  p  G  [Do  ^  Di]  we  let 

p{do  di } 

be  the  map  po  such  that  po(<^)  =  di  po(cO  —  l^id)  for  d^  do- 

Some  particular  sets  that  we  shall  use  frequently  are  as  follows.  Z  is  the  integers  and 
z,zo,  ...  range  over  Z.  N  =  {0, 1,2, . . .}  is  the  natural  numbers  and  n,  no,  ...  range  over 
f^.  We  consider  a  natural  number  to  be  the  set  of  numbers  less  than  it,  thus  the  less  than 
relation,  <,  is  simply  the  membership  relation,  G,  of  set  theory.  We  let  T  =  {0,1}*  be  the 
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complete  binary  tree,  i.e.  the  set  of  finite  sequences  of  O’s  and  I’s.  We  use  1"  to  denote 
the  sequence  in  T  that  consists  of  exactly  n  ones.  Note  that  1°  =  d.  We  shall  adopt  the 
convention  that  trees  grow  downward  and  cr,<To,  ...  will  range  over  T.  We  use  two  partial 
orderings  on  T .  The  initial  segment  relation,  <,  and  the  Brouwer-Kleene  linear  ordering,  -<. 
<^o  <  is  taken  to  mean  that  <Ti  is  below  (Tq  in  T,  while  ag  -<  ai  means  that  cg  is  before 
<Ji  in  T.  The  below  relation  is  defined  by 


(Tg  <  cr I  ^  3(7  ^  a  (cTi  =  (To  o  <r) 
and  the  before  relation  is  defined  by 

(Jg  <  (Tl  •*-+  (To  <  (Ti  V  3(T,  (T2  ,  <T3  ((To  =  <T  O  0  O  (T2  A  <Ti  =  (T  O  1  0(Tz). 

The  before  relation  is  also  known  as  the  depth-first  ordering. 

We  wish  to  thank  several  people,  Ross  C2isley  and  Martin  Ross  for  proofreading  an  ear¬ 
lier  draft  of  this  paper  and  detecting  many  absurdities,  Dave  Touretzky  for  kindly  allowing 
us  to  reproduce  some  diagrams  from  his  book  [To],  and  finally  Dennis  de  Champeaux  for 
providing  us  with  an  annotated  Interlisp  version  of  the  Robson  copy  algorithm,  the  reason 
this  paper  exists. 

2.  Memory  Structures  and  y„a,p 

In  this  section  we  introduce  the  notion  of  a  memory  structure  over  a  set  f\  of  atoms. 
The  purpose  is  to  model  the  memory  of  a  Random  Access  Machine  (RAM)  and  to  study 
the  abstract  structures  typically  represented  in  such  machines.  The  memory  of  a  RAM 
can  be  thought  of  as  a  collection  of  locations  (at  any  particular  time  this  collection  will  of 
course  be  finite).  The  machine  uses  these  locations  to  store  various  types  and  quantities  of 
objects.  There  are  machine  instructions  for  accessing  and  updating  the  contents  of  memory 
locations.  Some  objects  are  intended  to  represent  abstract  quantities  such  eis  numbers, 
boolean  vectors,  characters,  etc.,  and  there  are  machine  instructions  for  computing  functions 
on  these  abstract  entities,  such  as  arithmetic  operations  and  boolean  functions.  The  exact 
nature  and  number  of  the  objects  storable  in  each  location  varies  from  machine  to  machine, 
we  shall  abstract  away  from  this  machine  dependent  aspect  of  memory.  Consequently  we 
will  assume  that  our  hypothetical  machine  can  store  a  sequence  of  objects,  (the  sequence 
being  of  arbitrary  finite  length)  each  object  being  either  an  atom  from  A  or  the  address 
of  another  location  in  memory.  An  address  in  this  sense  is  simply  some  specification  of  a 
location  by  which  the  machine  can  access  that  location  (and  its  contents).  Again  the  precise 
nature  of  these  addresses  will  vary  from  machine  to  machine,  and  so  again  we  will  abstract 
away  from  these  implementation  dependent  details. 

In  this  paper  we  will  be  mainly  concerned  with  S-expression  memories  that  can  only 
store  pairs  of  objects  in  each  location,  however  we  will  treat  the  general  case  first  leaving 
S-expression  memory  structures  as  a  particular  example.  Let  A  be  some  fixed  set  of  atoms 
and  L  some  countably  infinite  set  disjoint  from  A.  L  is  the  set  of  memory  locations  of  our 
hypothetical  machine.  The  elements  of  the  sequences  that  are  stored  in  these  locations  are 
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the  memory  values  and  we  denote  them  by  V.  Thus  V  —  A  ©  L.  A  memory  is  a  function 
from  a  finite  subset  of  L  to  the  set  of  sequences  of  memory  values,  V*  =  (A  ©  L)*.  Since 
we  wish  to  represent  the  contents  of  the  location  I  in  the  memory  n,  we  also  require 
that  those  locations  which  occur  amongst  the  contents  of  locations  are  also  locations  in  our 
memory.  Thus  we  define  a  memory  fi  to  he  s.  finite  map  such  that 

M  ^  ®  ^)*]- 

where  6^  is  a  finite  subset  of  L  .  The  set  of  all  memories  over  A  and  L  is  denoted  by  M(a,l)- 
Now  suppose  that  y  is  a  set  of  memories,  a  memory  object  of  y  is  a  pair 

[uo  1  •  •  •  »  —  1  ]  >  M 

such  that  is  a  memory  in  y  and  the  sequence  [vo ,  •  •  •  ? ]  satisfies  Vi  6  ©A  for  i  €  n. 
Thus  a  memory  object  is  a  memory  together  with  a  sequence  of  memory  values  which  exist 
in  vixat  memory.  We  invariably  write  such  a  memory  object  simply  as  uq  , . . . ,  Vn- 1  ;  -A- 

memo  y  structure  is  defined  to  be  a  set  of  memories  y  together  with  a  set  of  operations  O, 
which  are  allowed  to  be  partial,  on  those  memory  objects  of  M.  The  operations  model  the 
machine  instructions  for  manipulating  objects.  We  usually  refer  to  a  memory  structure  by 
its  collection  of  memories  y,  taking  the  operations  to  be  implicit.  We  also  abuse  notation 
and  refer  to  the  set  of  memory  objects  of  a  particular  collection  of  memories  y  simply  by 
y,  context  should  always  prevent  confusion.  One  last  abuse  of  notation  is  that  by  y^”^ 
we  always  mean  the  collection  of  memory  objects  whose  sequence  of  memory  values  is  of 
length  n,  the  re2ison  for  this  is  that  we  often  want  to  apply  a  memory  operation  or  defined 
function  to  several  arguments  all  of  which  we  assume  exist  in  one  and  the  same  memory. 
For  ease  of  reading  we  let  /i,  /uq,  ...  range  over  memories,  v,vo,  ...  range  over  V,  o,  ao,  ... 
range  over  A  and  l,lo,  •••  range  over  L. 

2.1.  Definition  of  a  memory  structure  y 

We  can  summarize  the  above  definitions  as  follows: 

.  A  and  L  are  disjoint  sets,  L  countable,  and  V  =  A  ©  L  is  the  set  of  memory  values. 

•  A  memory  is  a  finite  map  n  from  L  to  V*  such  that  /i  €  [5^  (6^  ©A)*].  The  set  of 

all  memories  over  A  and  L  is  denoted  by  y(A,L)' 

•  Let  y  be  a  set  of  memories.  A  memory  object  of  y  is  a  tuple  vq,.  . .  ,Vr,_i  ;  A*  such 
that  /i  is  a  memory  in  y  and  Vj  G  6^  ©  A  for  i  G  n.  We  write  vq,.  . . , Vn-i  ;  H  €  y^”^ 
to  emphasize  the  length  of  the  memory  value  sequence. 

•  ■  A  memory  structure  is  a  set  of  memories  y  together  with  a  set  of  operations  O  on 
memory  objects  of  y. 
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2.2.  The  S-expression  memory  structure 

As  a  particular  example  of  a  memory  structure  we  now  present  the  S-expression  memory 
structure.  It  should  be  very  familiar  to  those  readers  acquainted  with  any  Lisp-like  language. 
We  assume  that  the  integers  Z  are  contained  in  A  and  that  A  contains  two  non-numeric 
atoms  T  and  NIL.  These  atoms  are  used  to  represent  true  and  /a/se,  NIL  is  also  used  to 
represent  the  empty  list.  We  shall  also  assume  that  there  are  an  unlimited  collection  of 
non-numeric  atoms  other  than  the  two  we  just  mentioned.  We  shall  usually  denote  them 
by  strings  of  upper  case  letters  IN  THIS  FONT.  Thus  for  our  purposes  the  following  are  also 
in  A:  INFINITY,  MIO,  THIS: ATOM,  . . . 

The  set  of  S-expression  memories,  is  defined  by: 


Thus,  as  we  mentioned  earlier,  the  S-expr€^ion  memory  can  only  store  pairs  of  memory 
values  in  its  memory  locations.  To  complete  our  specification  of  of  the  S-expression  memory 
structure  we  need  only  describe  the  operations  These  are  as  follows: 


^eexp  =  ^  cons? ^eq^addl  ^subl  ^  cons  ^  car ^cdr^rplaca^rplacd} 

int?  and  cons?  are  characteristic  functions  (recognizers)  of  1  and  L,  and  eq  is  the  charac¬ 
teristic  function  of  equality. 


int?{v  ;  n)  = 


-/t; 


(NIL; 


iiv  el 
if  V  ^  Z 


cons?(v  ;  jx)  = 
eqivQ.Vi  ;//)  = 


T;m 

if  V  e  L 

NIL ;  M 

if  u  ^  L 

'T;m 

if  vq  =  vi 

NIL ;  M 

if  Vo  #  vi 

addl  and  suhl  are  the  successor  ansi  predecessor  functions  on  Z. 

addl  (2  ;  ju)  =  2  -f- 1 ;  /i 
sv.bl  {z  ;  n)  =  z  —  1 ;  ^ 

The  cons  operation  is  a  pair  constructing  function  and  car  and  cdr  are  the  corresponding 
projections.  Note  that  cons  enlarges  the  domain  of  the  memory  object  by  selecting  a  new 
location  from  free  storage  and  putting  the  arguments  as  its  contents.  The  free  storage  of  a 
memory  fx  is  just  another  name  for  L  —  5^. 

cons{vo,Vi  ;fx)  =l  ifiQ  where  /  ^  and  Mo  = 
car(l;M)  =m(01o  iA* 
cdr{l ;  /i)  =  m(0  i  i  i  M 
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The  destructive  memory  operations  rplaca  and  rplacd  update  the  contents  of  a  pre-existing 
location  in  memory.  The  domain  of  the  resulting  memory  object  is  unchanged.  By  the  use 
of  these  functions  one  can  obtain  memory  objects  that  store  their  own  locations, 

rplaca{l,v  ;  jj)  =  I  ] /jLq  where  /io  ==  fJ>{l 

rplacd{l^  V  ;jLi)  =  I  ;mo  where  /io  =  -^[/^(0io>^]} 

We  shall  refer  to  the  S-expression  memory  structure  simply  by  Meexp- 

In  most  C2ises  we  shall  not  be  interested  in  the  value  of  the  rplacx  operations,  x  E  {a,  d}, 
so  for  convenience  we  define  the  operations  setcar  and  setcdr, 

$€tcar{l,v  ]  pi)  = 

8€tcdr{l,v  ]pi)  =//{/ -^ [//(/) 

Note  that  rplacx{l^  v  ]  fi)  ^  I  ;  setcxr{l^  v  ;  /i)  for  x  6  (a,  d}. 

We  have  not  defined  addl  or  subl  on  anything  other  than  integers  nor  car  and  cdr 
on  A  or  Micip,  when  n  1.  We  shall  not  specify  their  behavior  on  these  sets,  the  reader 
should  rest  assured  that  the  issue  is  of  little  importance  in  this  paper. 

3.  A  computation  theory  over  memory  structures. 

In  this  section  we  describe  a  programming  language  for  computations  over  memory 
structures  and  give  this  language  a  semantics.  Our  language  is  a  first-order  lexically  scoped 
Lisp-like  language.  Although  we  will  work  only  with  the  S-expression  memory  structure, 
we  define  the  language  and  semantics  for  an  arbitrary  memory  structure  M  with  atoms  A, 
locations  L,  and  operations  O.  We  assume  that  A  contains  a  distinguished  atom  NIL. 

3.1.  Memory  expressions  over  Ml. 

We  begin  by  defining  the  expressions  of  our  language.  Let  X  and  F  be  disjoint  countable 
sets.  Elements  of  X  are  memory  variable  symbols  and  range  over  memory  values.  Elements 
of  F  are  function  symbols,  each  with  an  associated  finite  arity.  Finally  there  are  constant 
symbols  for  the  atoms  and  memory  operations  of  Ml.  However,  we  will  not  make  any  attempt 
to  distinguish  between  an  atom  or  operation  and  the  constant  that  denotes  it.  We  use  a:, 
Xq,  . .  .for  elements  of  X,  /,  /o,  . .  .for  elements  of  F,  and  e,  eo,  . .  .for  memory  expressions. 
The  set  of  memory  expressions  is  defined  inductively  to  be  the  smallest  set  E  containing 

.  V  =  A©L 

-  X 


and  closed  under  the  following  formation  rules: 

If  ^test  ?  ^then  9  ^else  ^  E  then  If  ?  ^then  ?  ^else)  ^ 
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■  If  Cl,. . .  ,c„, Cbody  G  E  and  xi,. . .  €  X  are  distinct  then 

let{xi  Cl , .  .  .  ,Xffi  -4-  Cm  } Cbody  €  E. 

.  If  Cl , . . . ,  Cn  G  E  then  8eq(ci , . . . ,  Cn)  G  E. 

•  If  t?  is  either  an  n-ary  memory  operation  or  n-ary  function  symbol  from  F,  and 
Cl,. . .  ,c„  e  E  then  i9(ci,. . . ,  Cn)  G  E. 

The  only  variable  binding  operation  is  let.  let{yi  ci,. . .  -t- Cm}cbody  binds 

the  free  occurrences  of  in  Cbody  The  {yi  ei,.  ■ .  ,ym  Cm}  part  of  a  let  expression 
is  called  the  binding  expression.  For  a  memory  expression  e  the  set  of  free  variables  in 
e,  FV{e),  is  defined  in  the  usual  manner.  We  say  that  c  is  closed  if  FV{e)  is  empty, 
c {2/1  vi,. . .  ,ym  ~^rVm}  is  the  result  of  substituting  free  occurrences  of  the  in  c  by  the 
values  Vi,  or  to  be  more  precise  the  constant  symbols  denoting  them.  We  often  write 

[ Cq  , .  .  • , Cn ] 


for  8eq(co,...,en). 

Prior  to  describing  the  semantics  of  memory  expressions,  we  need  to  make  one  more 
definition.  A  system  of  memory  function  definitions  is  a  list  of  triples 

recdef((/o,6so,co),...,(/„,6s„,c„)) 
that  satisfies  the  following  conditions: 

■  Each  bsi  is  a  sequence,  without  repetitions,  of  variables  from  X  of  length  m,-. 

•  /,•  is  an  m^-ary  function  symbol  from  F. 

■  Ci  must  be  a  memory  expression  such  that  FV^e,)  is  a  subset  of  fes,-,  the  only  function 

symbols  that  occur  in  Ci  are  among  /o, . . .  ,/n,  and  no  /  G  L  occurs  in  any  of  the  e-,. 

The  recdef  construct  allows  us  to  define  a  set  of  mutually  recursive  functions.  The 
sequence  6s,-  names  the  arguments  of  the  function  /<  and  e,-  is  the  expression  used  to  compute 
its  value.  In  more  traditional  notation  we  have 

/o(6so)  •*—  Co 


fnibsn)  ^  Cb 

Given  such  a  system  of  definitions,  call  it  D,  we  say  /,-  is  defined  in  D  and  similar  self- 
explanatory  expressions.  Note  that  our  language  is  first  order  in  the  sense  that  we  do  not 
have  functionals  (functions  with  function  parameters  or  values). 
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3.2.  Rules  for  computation  over  memory  structures. 

A  closed  memory  expression  together  with  a  suitable  memory  describes  the  computa¬ 
tion  of  a  memory  object.  Such  pairs  are  called  memory  object  descriptions.  To  make  the 
notion  of  suitable  precise,  we  fix  a  system  of  function  definitions 

D  =  recdel((/o,65o,eo),. . 

Then  a  memory  object  description  is  pair  e  ;  /i  that  satisfies  the  following  conditions: 

■  e  is  a  closed  memory  expression, 

•  any  I  that  occurs  in  e  is  also  in  6^,  and 

■  every  function  symbol  /  G  F  which  occurs  in  c  is  defined  in  D, 

The  basic  rules  for  computation  are  given  by  a  single  step  relation  on  memory  object 
descriptions,  cq  ; /io  generated  by  the  rules  below.  That  is,  is  the 

least  relation  containing  the  primitive  cases  and  closed  under  the  congruence  conditions. 
The  primitive  cases  correspond  to  primitive  machine  instructions  for  branching,  sequenc¬ 
ing,  variable  binding,  execution  of  memory  structure  operations  and  function  call.  The 
congruence  cases  are  rules  for  reducing  sub-expressions  in  order  to  reduce  descriptions  to 
primitive  cases.  They  determine  which  sub-expression  may  be  reduced  and  the  effect  of 
that  reduction  on  the  description  containing  it. 

Primitive  cases: 


if  (vq  ?  ^then  5  ^else)  \  M 


f  ®then  !  A* 
\  ®else  )  M 


if  Vo  iz  NIL 
if  Vo  =  NIL 


seq(e)  ;/i e\\i 

8eq(vo,ei,...,en,)  -*>^  seq(ei,. . . ,  c^)  ; // 

let{yi  vi,. . .  ,t/m  ;/i  «{3/i  Vi,. . .  ,i/m  Vm}  ; /^ 

■d{vi , . . . ,  Vn ) ;  Ai  — Vo  ;fio  if  t?  is  a  memory  operation  and  i?(vi , . . . ,  v„  ;  ^)  =  Vo  ;  A*o 
t?(vi,...,v„)  ;/i e{yi  Vi Vn}  ;  A*  if  (yi . y»).  «)  is  in  I>. 


Congruence  cases:  If  Ca  ;  A^a  — Cb  ;  A^b  then 

if  (Ca)  ®then  »  Seise)  !  A^a  if  (Sb?  Sthen  >  Seise)  j  A*b 

seq(ea,  •  •  •)  i  A^a  seq(eb,  ^lb 

let{2/i  -(-Vj_i,2/j-«-ea,...,2/m-<-Cm}c  ;A^a 

Iet{?/1  -<-Vi,...,2/y_i  -<-vy_i,yj -(-Cb,...,2/m-<-Cm}c  ;  A^b 
l9(vi , .  .  .  ,  Vj_i ,  ea , .  •  •  ?  Cm)  5  A*a  l9(vi ;  ■  •  • ,  Vj—i ,  Cb ;  •  •  ■  ,  Cm )  ,  A^b 


8 


§3 


The  reduction  relation  on  memory  object  descriptions,  cq  ]  Ho  Ci  ;//i,  is  the  transitive 
closure  of  the  single  step  relation.  We  say  e;^J.  evaluates  to  uq  ;  Mo  if  e ;  //  vq  ;  Mo  for  some 

Vo  G  V.  We  can  now  easily  describe  the  functions  defined  by  our  recdef  construct.  Namely 
if  is  defined  in  D  and  (yi,...,ya)  is  its  binding  specification  then  the  corresponding 
partial  function 


is  defined  by 


. .  ,v„  ;^)  Vo  ;mo  =  . .  ,v„)  vo  ;mo 

df 

In  the  following  we  generally  work  with  a  fixed  D  and  will  omit  the  definition  superscript 
on  the  reduction  relation. 

3. 3,  Remarks 

•  It  is  easy  to  see  that  for  any  memory  object  description  at  most  one  of  the  single  step 

rules  applies.  Thus  the  single  step  relation  is  functional  as  is  the  corresponding  evaluation 
relation  e  ;  /io  »  . 

•  We  use  memory  operation  and  function  symbols  in  two  contexts:  in  terms  denoting 
memory  objects  and  in  memory  object  descriptions.  In  the  term  context  we  include  the 
memory  as  an  argument  while  in  the  memory  object  description  the  memory  is  not  included 
in  the  argument.  For  example,  car(/;^)  is  a  term  and  car (/);//  is  a  memory  object  description, 
and  we  have  car(/)  ;  fi  ^  car(/ ;  //).  The  two  uses  of  operation  and  function  symbols  should 
cause  no  confusion. 

•  The  values  of  the  binding  expressions  of  a  let  construct  are  evaluated  in  sequence. 
Then  the  free  occurences  of  the  variables  in  the  body  of  the  expression  are  replaced  by  the 
corresponding  values.  The  binding  expressions  are  evaluated  in  their  original  environment 
and  not  the  one  being  created  by  the  let  .  The  seq  construct  provides  for  sequencing  of 
computations.  It  is  similar  to  the  PROGN  construct  of  Lisp.  We  should  point  out  that  seq 
is  definable  in  terms  of  let  since 


seq(  Cq  5  ^1  ?  •  •  •  ?  ) 


is  equivalent  to 

let  {xo  ^  eo,Xi  ^  Ci, .  .  .  ,Xn  -e  CnjXn 

Definition  by  cases  is  handled  by  the  if  construct.  Notice  that  ets  usual  in  Lisp  any  non-NIL 
value  of  the  test  is  considered  true, 

•  We  have  not  included  a  means  of  dynamically  assigning  values  to  variables,  such  sls  the 
Lisp  SETQ  mechanism.  For  present  purposes  the  inclusion  of  such  mechanisms  mainly  com¬ 
plicates  the  semantics.  They  become  interesting  in  a  computation  theory  where  functions 
can  be  returned  as  values. 
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♦  Our  notion  of  memory  structure  is  essentially  that  of  Burstall  [B],  although  the  presen¬ 
tations  are  somewhat  different.  Burstall  treats  computations  described  by  flowchart  pro¬ 
grams  and  develops  proof  rules  for  proving  properities  of  certain  list  and  tree  like  memories. 
We  treat  computations  described  by  systems  of  recursive  definition  euid  prove  properties  of 
the  functions  described  by  these  computations.  In  this  paper  we  treat  a  larger  variety  of 
programs  2w:ting  on  much  less  restricted  domains.  We  focus  on  mathematical  properties  of 
the  S-expression  domain  and  do  not  develop  any  formal  proof-rules. 

3.4.  Abbreviations 


In  addition  to  the  betsic  constructs  of  our  language,  we  also  use  constructs  like  and, 
not,  or  and  ifn.  They  are  taken  to  be  the  usual  Lisp  abbreviations  or  macros  namely: 

and(ei,e2)  =  il(ei,C2,NIL) 
df 

or(ei,e2)  =  if  (ci, 1,62) 
df 

not(c)  =  il(c,NIL,T) 
df 


Hll(€test  9  ^then  9  ^else  )  (^test  9  ^elsei  ^then) 

df 

In  addition  we  have  a  condAike  construct  ils,  where 

ii s(e^.egt ,  ^then  •  •  '  ^test  >  ^then)  ^  ^^(^test  5  ^then  ’  ^^(^test  ^  ^then  *  •  *  ^^(^test  ?  ^then  ^  •*•)))• 


It  is  common  in  Lisp  programs  to  test  for  atoms  rather  than  pairs.  The  test  atom  is  defined 
by 


ttfom(c)  =  not(cons?(c)). 
df 

Rather  than  explicitly  use  the  recdel  function  we  write  function  definitions  in  the  tradi¬ 
tional  manner,  only  implicitly  using  the  recdef  operator.  For  example  the  definitions  of 
append  and  memq  are 

appcnd(u,v)  ^  il(u, c(?ns(car(u),append(cdr(u)),v)),v) 
memg(element,list)  -f— 

if(cg(element,caf  (list)), 

T, 

memg(element,  cdr(list))), 

NIL) 

We  are  also  somewhat  liberal  in  what  we  shall  use  as  variables,  using  words  with  suggestive 
names.  If  Z?  is  the  system  of  definitions 

recdef((/o,6so,co),. .  •  ,(/n,&Sn,«n)), 
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then  we  say  D  is  a  tail-recursive  system  if  and  only  if  no  function  symbol  which  is  defined 

in  P,  appears  in  D  either  in; 

1.  The  test-expression  of  an  if  expression, 

2.  a  binding  expression  of  a  let  expression, 

3.  an  expression  other  than  the  last  in  a  seq  ,  or 

4.  an  expression  that  is  ein  argument  to  a  function  or  operation  symbol  in  D. 

It  is  well  known  that  functions  so  defined  can  be  implemented  on  low-level  machines  without 
the  use  of  a  stack,  see  for  example  [Tu]  or  [F].  For  example,  the  following  definition  of  the 
list  length  function 

length{l)  •*—  it{l,addl  {length{cdr{l))),0) 

is  not  tail-recursive.  WhereM  the  following  system,  which  defines  an  extensionally  equiva¬ 
lent  function,  is  tail-recursive. 

length{l)  *—  len(l,0) 

len(l,n)  ■*—  ii(l,len(cdr(l),addJ  (n)),n) 

4.  More  about 

In  this  section  we  study  the  particular  memory  structure  lUI,e*p  that  we  defined  in 
section  2.  It  will  be  the  principle  memory  structure  that  we  shall  deal  with  in  the  rest  of 
this  paper.  Henceforth  all  memory  objects  will  be  eissumed  to  be  in  M,eip  unless  otherwise 
stated.  Hopefully  by  the  end  of  this  section  any  person,  that  has  used  Lisp  or  has  been 
subjected  to  a  mathematical  treatment  of  Lisp-like  languages  will  have  developed  a  practical 
intuition  about  this  memory  structure  model.  We  begin  by  showing  how  a  memory  object 
V  ;  /ii  €  Mjexp  can  be  represented  using  the  .traditional  Lisp  boxes  and  pointers  notation. 

For  example  if  we  let  no  be  the  memory: 

{<  /o,[F00.1i]  >,<  /i,[BAR,/2]  >,<  /2,[BAZ,NIL]  >} 

then  we  can  represent  the  memory  object  Iq  ;  /io  by  the  following  diagram  (which  is  taken 
from  [To]): 


^  I  ! — : — I 

9  I  •— - ►!  9  I  •-+ 

'  -I— 


t  j  ^ 
♦ 


If  rplacd{lo,lo) ;  Mo  ^  I  then  the  memory  object  Iq  ;  pi  looks  like 
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Another  example  where  two  memory  objects  share  structure  is  in  ^2  >  where  fi2  is: 
{<  /oi[A,/2]  h'i[^J2]  >•><  >)<  ^3>[C,  nil]  >} 

/i2  itself  can  be  represented  by  the  diagram: 


r  ] 

{  f  i 

♦ 


t 

p 


■4 


f  !  ^ 


T 


We  often  use  the  suggestive  boxes  and  pointers  way  of  speaking  about  memory  objects  when 
it  suits  our  purpose.  The  boxes  we  call  cells  and  a  pointer  is  just  another  way  of  refering 
to  the  a  location  or  cell.  Henceforth  cc//,  location ^  and  label  will  be  used  synonymously. 

4.1.  Viewing  memory  objects  as  labeled  trees 

There  is  a  very  simple  way  of  regarding  an  S-expression  memory  object  as  a  labelled 
tree.  For  v  ]  E  we  define  a  partial  function  Xx.{v  ;  //)*  from  T  to  V  and  its  domain 

by  induction  on  T: 

_  j  V  if(T  =  a,  the  empty  word  in  T 

(V  ;  -  j  j .  if  cr  =  0-0  O  i,  i  e  2  and  (u  ;  n)ao  €  L 

When  refering  to  tree  function  \x.{v  ;//)*  we  generally  drop  the  A  and  simply  write  (v  ;/i). 
Thus,  (u  ;  ^t)  is  the  least  function  from  T  to  V  satisfying; 

■  °  and  (v  ;  /x)a  =  V 

and  \i  <T  €.  and  (u  ;  n)a  =  /  S  L  then 
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•  crojE  and 

■  (u;M)<roy  =  MOiy  fori  ^  2 

Our  notation  in  this  regard  is  similar  to  that  of  [Mo], 

We  call  {v  ;  /i)  the  derived  tree  function,  or  the  labelled  tree  that  is  defined  by  v  ;  fx. 
Note  that  the  following  facts  are  true  for  these  functions. 

Proposition  1:  For  any  vjfi,  is  a  non-empty  subtree  of  T,  with  the  property  that 
if  (Toy  €  for  j  €2  then  (v  ;  n)a  €  L.  If  <to  o<J‘i  €  then 

1.  (To  G  and  (Xi  G 

2.  (V  ,  /i)c7oO<7l  ((^  )  M)<7o  5  /^)<7l 

nthcdr  example:  Consider  the  following  well-known  Lisp  program 

nthcdr{ji^l)  ^  if  (cy(n,0),  1,  niAcdr(su6i (n),  cdr(l))) 

The  significance  of  this  function  is  expressed  by 

nthcdr{nj)  =  (/  ;/i 

when  both  sides  are  defined,  or  equivalently  when  either  is  defined. 

We  will  sometimes  refer  to  a  (when  a  is  in  the  domain  of  the  derived  tree  function  of 
a  memory  object  t;  ;  )u  )  as  a  ear-cdr  chain  in  v  ;  fi,  for  the  obvious  reason  that  {v  ;  /i)^  is 
the  location  or  cell  one  obtains  by  a  suitable  composition  of  the  memory  operation  car  and 
cdf ,  Thus  we  can  define  the  notion  of  the  cells  of  a  memory  object  which  are  accessible  by 
car-cdr  chains. 

We  define  Cells^(v)  to  be  set  of  cells  that  are  reachable  from  v  ;  /i  by  travelling  along 
any  car-cdr  chain,  and  Cells^(t;)  to  be  set  of  cells  reachable  from  v  ;  ^  by  travelling  along 
any  non-empty  car-cdr  chains.  Thus 

Cells^(v)  =  {/  e  L I  (3(T)(i; ;  =  1) 

ai 

Cells<(t;)  =  {leL\{3(T^a)iv;^),=l} 

di 

Notice  that  we  could  also  define  Cells^(t;)  to  be  the  smallest  subset  X  of  6fj,  such  that  by 
letting  fix  be  the  restriction  of  fi  to  Jf,  we  have 

V\flx^  Msexp- 

Consequently,  if  we  were  only  interested  in  the  memory  object  v]fi  it  would  for  most  intents 
and  purposes  be  reasonable  to  assume  that  Cells^(z;)  =  6^. 
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We  often  wish  to  define  a  set  of  cells  (or  values)  that  have  a  particular  property  and 
are  reachable  from  a  given  cell  via  paths  which  only  pass  through  cells  with  this  property. 
The  following  constructions  give  a  general  way  of  making  this  type  of  definition.  Let 
be  predicates  on  for  i  €  2,  then 

■  TC(t; ;  4^,  $0  5^i)  to  be  the  smallest  set  X  such  that 

1.  If  ;  /i)  then  v  €  X 

2.  If  /  G  X  and  ^q{1  ;  /i)  then  (I ;  /i)o  e  X 

3.  If  /  €  X  and  $i(Z ;  //)  then  (/ ;  /z)i  G  X 

■  STC(u  ;  //,  is  the  smallest  set  X  such  that 

1.  If  Z  G  X  or  /  =  -y  then  if  i  m)  then  (Z  ;  /x)o  G  X 

2.  If  Z  G  X  or  Z  =  y  then  if  $i(Z ;  /x)  then  (Z  ;fx)i  €  X 

For  example 

Cells^(y)  =  TC(y  and  Cells<(y)  =  STC(y 

where  y  ;  /i  G  iff  y  G  L  and  (//  ;  y)j  G  L  and  y  ;  /x  G  iff  ^  ^  1-.  We  shall  make 
frequent  use  of  these  constructions  in  later  sections.  We  sometimes  write  TC(y  ;  or 
STC(y  ;  $)  when  all  three  predicates  are  the  same.  TC  stands  for  transitive  closure, 

while  STC  stands  for  strict  transitive  closure. 

4.2.  Equivalence  relations  on  memory  objects 

Often  a  memory  structure  contains  more  detail  than  is  necessary  for  the  task  at  hand, 
for  this  reason  we  define  two  notions  of  similarity.  The  first  is  the  most  obvious.  We  say 
two  memories  /xq  and  /xi  are  isomorphic,  written  /xq  —  Mi  ,  if  there  is  a  bijection,  h,  from 
V  to  V  which  is  the  identity  on  A  and  maps  L  to  L  with  the  property  that  h  o  /xq  =  Mi  • 
Since  we  mainly  deal  with  memory  objects  not  simply  just  memories,  we  also  define  the 
corresponding  notion  for  memory  objects.  For  this  we  use  the  tree-function  (y;M)  associated 
with  y  ;  m- 

Definition  of  isomorphic  memory  objects:  If  yo , . . . , yn  ;  M^  ^  ^  ^  M«zp  ^ 

we  say  yo , « •  • ,  Vn  ;  M  is  isomorphic  to  yo , . . . ,  y^  ;  M*  j  written 

yo,...,yn  ;m- ;M% 

if  there  is  a  bijection  Zi:  V  — ►  V  which  is  the  identity  on  A,  maps  L  — L  and  is  such  that 


ho{vi;tJ,)  =  («;  ;/i*) 


as  partial  functions,  for  every  i  En  +  1. 

Notice  that  if  Cells ,  for  z  G  2,  then  saying  that  yo  ;  Mo  ~  ;  Mi  is  the  same 

as  saying  that  mo  —  Mi  via  h  where  h  has  the  additional  property  that  h{vo)  =  yi .  Another 
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important  point  to  observe  is  that  S-expression  memory  operations  preserve  isomorphism. 
For  example, 


Note  that 

Vo  ;m 


l,v  ;  ^  r  ,v*  ;  fi*  —>■  rplaca{l,v  •,  fi)  ^  rplacaQ*  ,v*  •,  fi*). 

A  ...  A  Vn-,p^v^-,p*  -f*  Vo,. .  .,Vn  ;  p  ^  Vq,.  . .  ,v^  ;  p* . 


Another  equivalence  relation  that  is  not  quite  as  useful  in  this  paper,  but  does  have  a 
special  significance  in  the  subject  is  that  of  Lisp  equality. 

Definition  of  Lisp  equality:  We  say  vq  ;  po  and  Vi  ;  pi  are  Lisp  equal,  written 


Vo  \  Po  =  Vi  \  Pi, 


iff  ;  Po)  and  (vi  ;  pi)  have  the  same  domains  and  (vq  ;  po)<r  =  a  when  and  only  when 
(vi  ■,pi)t,  =  a,  for  (T  e  a  ^ 

Notice  that  r/o ’>  tM)  =  ]  pi  means  that  vq  ;/io  and  Vi  ^pi  have  exactly  the  same  car-cdr 

chains.  Also,  Lisp  equal  objects  print  the  same  (for  typical  printing  algorithms).  As  we 
have  alreiidy  mentioned: 

Proposition  2: 

1.  =  and  ^  are  both  equivalence  relations. 

2.  If  Vo  ;  /io  —  vi  ;  pi  then  Vo  ;  Po  =  ;  pi ,  the  converse  is  patently  false. 

3.  If  D  is  a  definition  and  t?  is  a  function  defined  in  D  then  the  partial  function  determined 
by  this  definition  preserves  isomorphism.  By  this  we  mean  that  if  vo,...,Vn  p  — 
Vo )  •  •  •  5  V*  IP*  then  t9[vo , . . . ,  v„]  ;  p  ^  d[vQ , . . . ,  v*  ]  ;  /i*  whenever  either  (equivalently 
both)  denote. 

We  should  idso  point  out  that  more  model  theoretic  definitions  of  these  two  equivalence 
relations  are  possible,  but  we  shall  not  do  this  here.  For  vo,Vi  6  V  we  say  vo  =  Vi  iff  either 
Vo  and  vi  G  L  or  else  vo  =  Vi .  Using  this  we  have  the  following  pointwise  characterization 
of  =. 

Proposition  3:  The  following  are  equivalent 

1.  Vo  ;mo  =  vi  \pi 

2-  ^(t.o;/io)  =  =7  and  V<t  €  7  (vq  ;  po)<T  =  (vi  ;  Pi)a. 

Notice  that  proposition  1  together  with  proposition  3.  implies 
Proposition  4:  If  lo  ;p  and  li  ;  p  G  then  the  following  are  equivalent 

1.  Iq  p  =  li  p 

2-  {lo  {h  ;  M)i  ;  M  for  i  €  2. 

In  other  words  two  S-expressions  are  Lisp  equal  iff  their  cars  and  cdrs  are. 
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4.3.  Some  sub-domains  of 

We  now  define  some  important  subdomains  of  M^cxpj  and  terminology  that  we  use 
correspondingly. 

Definition  of  well-fotmded  S-expressions:  We  say  that  t; ;  /i  is  a  well-founded  S- 
expression,  written  t;;/x  G  M^/gexpy  if  is  a  well-founded  tree.  Here  are  several  equivalent 
ways  of  expressing  well-foundedness.  One  is 

v  ^  Cells<(^;)  A  (V/  €  Cell8<(i;))(;  ^  Cells<(/)). 

Thus  G  Mw/aexp  then  all  car-cdr  chains  in  /;/i  must  eventually  terminate  at  an  element 
of  A.  A  second  equivalent  definition  is  that  the  derived  labelled  tree  is  finite.  It  is  important 
to  notice  that  if  I*  G  Cells^(/)  and  I  G  Mu;/««xp  then 

Cell8^(Z*)  C  Cells^(/) 

with  equality  holding  only  when  /*  =  Z.  Also  notice  that  when  I  ]  €  Mtt,/«e*p  then 

Cells^(Z)  =  Cells<(Z)  U  {Z} 

and  this  union  is  disjoint,  while  disjointness  is  not  necessarily  true  if  we  only  know  that 
I  ]fjt  G  Mggjcp.  We  make  two  last  remarks  concerning  M,4,/^exp-  ^w/^cxp  factored  out  by  =  is 
canonically  isomorphic  to  the  structure  one  obtains  by  closing  A  under  a  pairing  operation, 
see  for  example  [Mo].  Secondly,  for  any  memory  object  v  ]  jj,  G  M«;/«ffxp  there  is  a  closed 
term  e,  i.e  one  with  no  free  variables,  which  contains  only  the  operations  car,  cdr  and  cons, 
and  of  course  no  function  symbols,  such  that  e  ;  0  »  v*  ;  //*  and  v  ;  ^  v*  ;  fx* .  Here  0 

denotes  the  empty  memory.  If  we  do  not  include  the  let  construct  in  the  set  of  terms,  then 
we  can  only  obtain  =  in  this  last  result. 

Definition  of  lists:  There  are  two  different  notions  of  list  depending  on  whether  one 
allows  cyclic  lists,  in  this  paper  we  will  refer  to  the  non-cyclic  version  as  Mn^t  and  the 
possibly  infinite  variety  by  McUgt, 


v]fxG  Miigt  ^  (3w  €  M)(i; ;  fi)in  =  NIL. 

Thus  Z ;  ^  is  in  iff  some  cdr-chain  leads  to  an  atom  and  this  atom  is  NIL. 

V  \}1  G  ^eliat  ^  G  A  (v  ;  /x)in  E  A  — ^  (v  ;  Jjt)in  =  nil). 

A  simple  example  of  a  function  on  is  length,  (defined  in  section  3.4).  Its  basic  property 
is  that  for  any  v  \  ^  G  we  have  that  (i; ;  /.i)ii«nfli/t(t,)  =  NIL.  Later  on  we  will  describe 
a  length  function  that  is  defined  for  all  of  MgUgf  To  make  talking  about  lists  somewhat 
easier  we  have  the  following  notation.  The  set  of  cells  that  are  reachable  from  a  non-NIL 
elist  Z ;  /i  G  only  by  using  the  the  function  cdr  is  called  the  spine  of  the  list.  Namely 


Spme^(0  =  {(;  ;  /i)i«  |  1”  €  -  {NIL}. 
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Suppose  Iq  \fio  €  Mjiat  is  such  that 


Spine^o(^o)  =  {lo---U} 

with  iio{k)  =  [v»  ,  U+i]  for  i  En  and  /lo^n)  =  [vn  ,  NIL].  Then  we  say  Iq  ;^o  represents 
the  Lisp  list  {vq  Vi  ...  Vn).  We  call  the  Vi  the  elements  of  the  list  Iq  ;  /xq  and  put 

Element8^(,(/o)  =  [vo,  -  •  •  We  say  Iq  ;  fiQ  is  a  pure  list  if  Spine^jj(/o)  is  disjoint  from 
the  set 

U  Cen5,„(vi). 

v^eElements^Q  (lo) 

Thus  a  pure  list  is  determined  up  to  isomorphism  by  the  sequence  of  its  elements. 

4.4.  The  Equality  Program 

We  finish  of  this  section  by  showing  that  our  notion  of  Lisp  equality  agrees  with  the 
usual  notion  on  M^f^exp-  Consider  the  following  well  known  program. 

e7tta/(u,v)  4— 

if  (or(  atom  (u),  atom(v)), 
eg(u,v), 

and(e}ua/(cor(u),car(v)), 
equal{cdr{u),  cdr(v)))) 


Theorem  1;  equal  is  a  total  function  from  to  having  values  amongst 

{NIL,T}.  Further,  if  vq  ;  /u,  Vi  \p,  E  M,uf»exp  then  the  following  are  equivalent: 

1.  cgua/(i;o,Vi)  ;/x  »  T  ;  ^ 

2.  vo\n  =  Vi\n 

Proof:  We  prove  the  theorem  by  induction  on 

r(t;o,Vi  ;m)  =  |Cell3^(t;o)|  X  |Cells^(vi)|. 

Base  case:  r(vo,Vi  ;  /x)  =  0.  In  this  case  t/j  €  A  for  at  least  one  x  E  2,  and  so 

equal(vo,vi)  ;  ytx  »  eq(vo,Vi)  ; /x. 

Since  we  have  that  eq(vo ,  vi ) ;  /x  ^  T ;  /ix  iff  x;o  =  vi  and  vq  ;  ^  =  ;  /x  iff  vq  =  ui  the  theorem 

is  true  in  this  case. 

Induction  step:  Suppose  r(vo ,  ;/x)  >  0  and  that  the  theorem  is  true  for  any  vj ,  V3  ;/Xo  E 

l^wfsexp  of  less  rank.  Thus  t;o  and  €  L  and 

equal(vo,vi)  ;/x  ^  SLnd{equal{car{vo),car{vi)),equal{cdr{vo),cdr{vi)))  ;/x 
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If  we  let  Via  =  M(vi)io  and  Vid  =  /x(z;,)li,  for  i  E  2  then  we  have 

equal{vo,Vi)  »  and(eguo/(t;oa,Via)»  e7«a^(cdr(vo),C(ir(vi)))  \n. 

Now  since  Vi  €  we  have  that  r{voa,‘Via  i  ti),'r{vQd-,vid  i  )w)  <  r{vo,Vi  ;  //).  Consider 

two  cases. 

Case  1:  U  vq  ;  fi  =  vi  ]  iJ,  then  by  proposition  4.  voa  ;/i  =  via  ;  /i  and  vod  ;  //  =  uid  ;  //.  So 

egua/(t\),vi)  ;  n  »  and(  T,e?ua/(cdr(t;o),cdr(vi)))  ;  n  :§>  eguaZ(vod, vid)  ;  M  >  T  ;  /i. 

Case  2:  If  vq  ^  vi  ;/x  then  again  by  proposition  4  either  voo  ^  ;M  or  vo<j ;//  ^  vu  ;/i. 
Suppose  uqo  ;  ^  M  ^hen 

e?«a/(uo,Vi)  ;/i  »  and(NIL,cgua/(cdr(t;o),cdr(vi)))  ;/ii. 

However,  if  uq*  ;  M  =  vio  ;  then 

equal{vo,vi)  \  n  »  equal{cdr{vo),cdr{vi)) ;  /i  »  NIL  ;  fi. 


^Theorem  1 

One  final  remark  is  that  the  above  proof  can  easily  be  modified  to  show  that  the  more 
efficient  version  of  equal  given  below  also  satisfies  this  theorem. 

equal{u,v)  •<— 

il  ( eg(u,  v) ,  T,if  (or(  atom  (u) ,  atom  (v) ) , 

NIL, 

and(  egua/  ( car  (u) ,  car  (v) ) , 
equal{edr{}i),cdr  (v))))) 

5.  Four  simple  correctness  proofs. 

In  this  section  we  present  four  well  known  Lisp  programs,  and  prove  theorems  asserting 
their  correctness.  None  of  the  proofs  is  in  any  way  deep,  the  main  purpose  being  tutorial,  in 
that  we  show  both  how  to  formulate  correctness  results  and  how  they  €u:e  proved.  The  reader 
who  is  not  so  interested  in  methodology  but  rather  results  should  simply  skip  the  proofs,  Eis 
the  specific  techniques  of  proof  in  this  section  are  not  duplicated  in  the  subsequent,  more 
complex  proofs. 
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5.1.  Example  1:  Inplace  Reverse. 

In  this  example  we  prove  the  correctness  of  a  destructive  reverse  program,  the  so  called 
inplace  reverse. 

inplace:reverse{'a)  -t—  in:fct;(u,NIL) 

*n:rcv(u,v)  •<— 
if(u, 

let{tl  cdr(u)}8eq(rp/ocd(u,v),tn:rev(tl,u)), 

V)) 

Clearly  inplace:rever8e{'SlL)  ;  fi  NIL  ;  fi.  In  general  inplaceireverse  reverses  a  list  by 
reversing  the  pointers  along  the  spine  and  changing  nothing  else.  This  is  expressed  by 

Theorem  2:  If  Iq  ;tiQ  E  Mj»»t  represents  the  Lisp  list  (uo  Vi  V2  ••  •  Vn)  with  Spine^ji  (/o)  = 
{lo  In}  then 

inplace:rever8e{lo)  /Iq U  ]  Mn+i 

where  l„  represents  the  Lisp  list  (t;„  v„_i  ...  V2  vi  vo),  Spine^^^j(/„)  =  {/„..  .lo}, 

fii  =  aetcdr{lo,  NIL  ;  /io)>  and  Mi+i  =  aetcdrQi,  li^i  ;  //,),  for  i  €  n  +  1.  In  addition 
with  (in+i  differing  from  /io  only  on  {/j}i€n+i. 

Corollary  1;  inplace:reverae{inplace:reverae{lQ  ;  ^o))  =  lo  >1^0 

Notice  that  unless  Iq  ; is  a  pure  list  we  will  not  have  that  v, ; ^n+i  =  Vi  ;jJo,  in  other 
words  inplace ireverae  may  alter  the  elements  of  the  original  list.  However  a  little  careful 
thought  on  the  matter  will  show  that  there  is  no  particularly  obvious  candidate  for  the 
epitaph  reverae  of  a  list  in  such  structure  sharing  situations. 

Proof  of  Theorem:  We  will  show  by  induction  on  i  that 

PI.  in:rev(lo,NIL)  ;/Jo  »  tn:rev(;j+i  ,/<)  »  m:rev(NIL,i„)  ;Mn+i 

P2.  i  ^  j  ^  n  >■  Hoijj}  ~  Mt+iOy) 

P3.  0  <  y  *  ’■  M»+iOy)  ~ 

Note  that 

.  for  0  <  j  <  n  no{lj)  =  [vj,/y+i]  and  =  [vj,lj-i] 

•  for  any  I ;  n  G  with  u  ;  p,  =  cdr{l)  ;  p  we  have  by  computation 

in:rev{l,v)  ;  p  ;t> 

»  if(/,  let{ii  cdr{l)}[rplacd{l,v),in:rev{ti  ,l)],v)  \p 
let{fi  -<r  cdr{l)}[rplacd{l,v),in:rev{ti,l)\  ;p 
»  in\rev(u,l)  ;  setcdr[l,v  ;  pi) 
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.  since  Iq  ifio  €  we  have  k  7^  Ij,  whenever  i  ^  j,  and  i,j  6  n  +  1. 

Case  i  =  0:  By  computation,  since  h  ;no  =  cdr{lo) ;  juo  and  =  sefcdr(lo,NIL  ;  fio)  we 
have 

m:rev(/o,NIL) ;  no  in:rev{liylo)  ;  Mi 
Thus  PI  holds  for  i  =  0.  Since  mi  differs  from  Mo  only  on  Iq  we  have  that 

Mo{^«)  =  Ml  G»)  for  0  <  s  <  n 

so  P2  holds.  P3  is  vacuous. 

Induction  step:  Suppose  0  <  i  <  n  and 

m;rer;(/o,NIL)  ;mo  ^  ;m» 

with  fij  satisfying  P2  for  *  —  1  <  y  <  n  and  P3  for  0  <  j  <  i- 1.  Thus  ;m»  =  cdr{li)  ;mo  = 
cdr{li)  ;  M»-  By  computation  again  we  have 

in‘,T6v{li^lx—\)  5  M»  ^  J  Mt-Hl 

where  Mt+i  =  setcdr{li,li-i  ;  m»)-  and  P3  hold  for  m»+i  because  it  only  differs  from  Mi 
on  li. 

Termination  case:  So  far  we  have  shown  that  for  0  <  i  <  n 

m:rei;(/o,NIL)  ;  mo  ^  in:rev{li,li-i)  ;  m» 

with  fij  satisfying  P2  for  i  <  j  <  n  and  P3  for  0  <  j  <  i.  Thus  P2  and  P3  are  proved  and 
cdr[ln)  ;  Mn  =  NIL  ;  Mn-  By  computation  we  have 

in:rev{ln,ln-i)  »  m:reD(NIL,/„)  ;Mn+i 

where  Mn+i  =  setcdr{ln,l„-\  ;  Mn)- 
□f'l,P2,P3 

The  theorem  now  follows  from  the  above  and  the  simple  observation  that 
inplace:reverse{lo)  ;  Mo  S>  m:rev(lo,NIL)  ;mo  ^  ^n  JMn+i- 
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5.2.  Example  2:  Iterative  Append. 

We  now  prove  the  correctness  of  an  iterative  append  program.  It  constructs  a  list  with 
the  same  elements  as  its  first  argument  and  destructively  appends  the  second  argument  to 
the  end  of  this  new  list.  It  does  not  eilter  the  original  memory  on  any  pre-existing  location, 
thus  it  is  sometimes  called  a  locally  dirty  program. 

iterative:append{v.,v)  *— 
il(u, 

V, 

let{w  cona{car{xL),v)}  it:app{v,v,v,  cdr(u))) 

*t:app(v,val,w,u)  <— 
il(u, 
val, 

it:app{v, 

val, 

cdr(rplacd{v,  cons(car(u),v))), 
cdr(u))) 

Clearly  iterative:append{KIL,  v)  ;  /z  »  t; ; 

Theorem  3:  If  /q  ;  juo  S  represents  the  Lisp  list  (^;o  vi  V2  . . .  with  spine 

{lo...ln}  and  Maeip  then 

iterative: appendQo,  v)  ;^o  2>  Iq  ;Mn+i 

where  =  ^#*0  {^o  >  •  •  ■  ^  ^  Jt  hJ  €  n  -H  1.  Furthermore, 

1-  =  [vi,  li+i]  for  i  <  n 

2-  Mn+i  =  Mo  on  Sfig. 

Corollary  2:  If  /q  ;  Mo  is  as  above  and  v  ;  po  represents  the  list  (u^t) ,  •  •  • ,  Wm)  with  spine 
{jn+l  •  ■  •  ^n-f‘TTi.+ 1  }  then  iterative:append{lo^  v)  ;  i  Mn+i  and  Iq  ;  Pn-i^i  represents  the 

list  {vo,...,Vn,WQ,...,Wm)  with  spine  {Iq  . .  ./* 

Proof  of  Theorem  3:  For  1  <  i  <  n  we  define  /i,-  and  by  pi  =  p^  and  for  Z  >  0 

—  cons{vi,v)  ;  pi  and  Pi+i  =  setcdr{l^_j^,l!-  ;  p*).  We  prove  by  induction  on  i  that 
for  i  <  n 

PI.  iterative:append{lQ,v)  ;  pq  »  it:app{v,l^,l^ ,li+i)  ■,  pi+i 
P2.  pi+i  =  Pq  on 

where  by  abuse  of  notation  we  let  Zn+i  —  NIL.  Note  that  according  to  the  definitions, 
5^,+!  =  6^,,  u  {/; }  with  ^  . 
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Base  Case  i  =  0:  In  this  case  we  have  by  computation 

iterative:append{lo,v)  ipo  ^ 

»  let{w  ^  cons{car{lo),v)}it:app{v,  w,w,cdr{lo))  ]Po 
it:app{v,lo,lo,li) 'tPi 
where  Iq\Pi  =  cons(vo,v)  -yPo. 

Induction  step:  Suppose  PI  and  P2  hold  for  0  <  <  i  Then  by  computation 

it:app{v,lQ,li_i,li)  » 

»  it:app{v,lQ,cdr{rplacd{li_i,cons{car{li),v))),cdr{li))  \pi 

>  it:app(vXo ,  C  ,^»+i )  I  setcdr[ll_ i , ;  pi ) 

—  it\(ipp{v f 
and  clearly  pi+i  satisfies  PI  and  P2.  □pi,p2 

Now  2  is  clearly  true  so  it  suffices  to  show  1.  Since  /z<+i  differs  from  pi  only  on  and 
on  II  we  have 

IM+i{ll-i)  =  ■  ■  -  = 

for  t  >  1  and  A:  >  : ’  +  1.  Thus  pn+i{k)  =  [vi)l»+i]  for  i  <n. 

^Theorem  S 

5.3.  Example  3:  A  Sophisticated  Length  function. 

In  this  example  we  deal  with  a  length  function  that  not  only  calculates  the  length  of  a 
list,  but  also  detects  whether  the  list  is  infinite.  A  reference  to  it  may  be  found  in  [C]. 

elength{l)  <—  c/en (1,1,0) 
e/en(slow,last,n)  <— 
if  (last, 

if  (cdr(last), 

if  (e5(fast,slow), 
if(e?(n,0), 

e/en(cdr(slow),cdr(cdr(fast)),n  +  2), 

INFINITY), 

e/en(cdr(slow),  cdr(cdr(f  ast)),n  +  2)), 
addl{n)), 

The  key  fact  about  elength  is  given  by  the  following  theorem. 
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Theorem;  Uv;fi€  then 


dengthiv)  ;  /i  =  ( M,.-.* 

I  INFINITY  otherwise 

Proof  of  theorem;  To  prove  that  t; ;  /i  €  M/,-,*  implies  that  dength{v) ;  fi  =  length[v) ;  n 
we  leave  as  a  simple  exercise.  We  do  the  more  difficult  case.  Suppose  that 

lo  \  fi  & 

This  assumption  implies  that  for  n  €  N,  1"  €  and  (Z;/i)ir.  €  L.  Consequently,  letting 

h  —  (^0  ;  m)i<  we  have  by  the  finiteness  of  that 

{[mo, mi]  €  |  mj  >  0  and  =  ^mo+m,  } 

is  non-empty.  Now  choose  [mo, mi]  to  be  the  lexicographically  least  element  of  this  set,  and 
put  X  to  be  the  smallest  solution  to  the  integer  equation 

0  =  mo  +  a:  [mod  mi] 

Now  observe  that  while  Ij  ^  l2j  for  0  <  j  <  i  we  have  that 
elcTi^lo  ,/o  1 0)  j  M  ,^2»  ?  2?)  j  jj, 

Letting  A:  =  mo  +  a:  we  claim 

1.  Ik^hk',  and 

2.  Ij  l2j  for  0  <  j  <  A:. 

It  is  easy  to  verify  that,  by  our  choice  of  notation,  1.  is  equivalent  to 

A:  =  2A:  [mod  mi  ] 

which  is  true  by  virtue  of  our  choice  of  a:.  Now  suppose  there  was  a  j  with  0  <  j  <  k  and 
Ij  =  l2jy  then  by  our  choice  of  notation  we  would  have 

0  =  J  [mod  mi  ] 

Now  if  j  <  mo  then  we  would  contradict  our  choice  of  [mo, mi],  on  the  other  hand  if 
^0  ^  J  <  mo  +  X  then  we  would  contradict  our  choice  of  a:.  Consequently  no  such  j  exists 
and  we  are  done. 


^Theorem 
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5.4.  Example  4;  The  traditional  recursive  copy  program. 

In  this  example  we  deal  with  our  first  copying  algorithm,  the  traditional  recursive  one 
that  one  learns  about  in  introductory  Lisp  courses. 

recursive:  cop  y(u)  +- 
if  (  atom  (u), 

u, 

cons  ( recursive :  copy  ( car  (u) ) , 
rccursive:copy(cdr(u)))) 

We  leave  the  proof  of  the  following  as  an  exercise  as  it  is  a  simple  induction  on  |Cell8^(0|. 
Theorem  4:  If  i ;  /iz  €  M^f,exp  then 

recursive: copy {1)  ;  /z !»  /*  ;  /z* 


such  that 

1.  i ; /z  =  /*  ; /z* 

2.  Cells4Z)nCells^-(r)  =  0 

3.  |Cells^(/)|  <  |Cells^-(Z*)| 

In  general  this  is  not  the  most  useful  copying  algorithm.  It  has  three  obvious  defects. 

•  Firstly  recursive: copy  only  constructs  a  copy  which  is  Lisp  equal  (=)  but  not  necessarily 
isomorphic  (s^)  to  the  original.  In  fact  the  copy  obtained  by  using  this  recursive  program 
is  the  least  compact  S-expression  (up  to  isomorphism)  which  is  Lisp  equad  to  the  original. 
By  least  compact  we  mean  that  the  copy  will  possess  no  cellular  structure  sharing.  So,  for 
some  suitable  / ;  /z  we  actually  have  that 

lCells^.(Z*)|  =  -  1. 

•  Secondly,  recursive:copy  will  not  terminate  on,  let  alone  copy,  cyclic  S-expressions. 

•  Finally,  its  recursive  nature  means  that  it  will  use  up  stack  proportional  to  the  maxi¬ 
mum  depth  of  its  argument,  and  so  on  large  structures  it  may  run  out  of  free  storage.  Also 
since  it  does  not  recognize  shared  structure  it  will  often  duplicate  calls  to  itself. 

One  of  the  aims  of  this  paper  is  to  prove  the  correctness  of  a  copying  algorithm  that 
does  not  have  these  defects.  We  should  remark  that  this  copy  algorithm  does  have  one  nice 
theoretical  feature,  namely 

Proposition  5:  For  any  vq  \  ;  /i  G  M^/gexp  we  have  vq  ;  /i  =  M  if  and  only  if 

recursive:copy{vo)  ;  M  —  recursive:copy{vi)  ;  /x. 
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6.  The  Correctness  of  the  Robson  Marking  algorithm. 

The  first  program  that  operates  on  which  we  shall  deal  with  is  a  marking  algo¬ 

rithm.  We  have  called  it  the  Robson  marking  algorithm  since  it  is  essentially  phase  one  of 
the  Robson  copying  algorithm,  [R] .  It  is  interesting  in  its  own  right  since  it  is  a  more  sophis¬ 
ticated  algorithm  than  the  Deutsch-Shorr- Waite  marking  algorithm,  [D],  [SW].  Although 
in  our  domain  Mscxp  there  are  no  mark  or  field  bits,  this  is  of  no  particular  importance 
since  we  shall  use  abstract  syntax  [Me]  to  hide  this  fact.  The  advantage  of  this  is  that  we 
can  isolate  the  necessary  properties  of  the  implementations  of  the  abstract  syntax  that  are 
required  in  the  correctness  proof.  Thus,  given  a  particular  implementation  of  the  algorithm 
we  can  simply  check  the  correctness  of  the  program  by  checking  that  the  abstract  syntax  has 
the  desired  properties.  We  shall  only  be  interested  in  one  particular  interpretation  in  this 
paper  since  the  second  phase  of  the  Robson  copying  algorithm  makes  use  of  our  particular 
implementation.  An  elegant  treatment  of  the  Shorr- Waite  marking  algorithm  in  a  world 
where  locations  have  mark  bits  can  be  found  in  [Tj. 

The  Robson  marking  algorithm,  like  the  Deutsch-Shore- Waite  marking  algorithm,  uses 
pointer  reversal  to  avoid  using  an  explicit  stack.  Pointer  reversal  is  a  very  powerful  technique 
that  is  used  in  destructive  memory  programming.  The  idea  is  quite  simple;  the  program 
destructively  alters  the  structure  it  is  operating  on  to  store  the  information  that  a  stack 
would  normally  be  used  for.  In  this  case  the  algorithm  scans  the  graph  in  a  left-first  fashion, 
marking  cells  as  it  proceeds.  Since  the  cells  are  marked  when  they  are  first  visited,  looping 
or  repeatedly  scanning  the  same  subgraph  is  avoided.  An  succinct  treatment  of  pointer 
reversal  or  pointer  rotation,  as  it  is  sometimes  called,  may  be  found  in  [S],  although  the 
notation  in  that  paper  heis  an  unfortunate  tendency  to  confuse  control  and  data, 

6.1.  The  Robson  Marking  Algorithm 

In  the  Robson  marking  algorithm  the  process  of  marking  a  cell  consists  of  allocating 
a  new  cell  and  moving  into  this  new  cell  the  contents  of  the  cell  being  marked.  The  cell 
being  marked  is  then  updated  so  that  its  car  contains  a  mark  and  its  edr  points  to  the  new 
cell.  A  mark  is  an  object  specially  allocated  before  marking  and  so  recognizably  not  part  of 
the  structure  to  be  marked.  We  use  seven  different  marks  to  store  more  information  than 
just  simply  whether  or  not  the  cell  has  been  seen  before.  We  shall  denote  these  marks  by 
ER,EL,E10,M00,M01,M10,M11.  Their  meaning  roughly  being  described  by 

EL  -  Exploring  the  left  hand  side  of  the  cell.  If  the  car  is  not  terminal,  then  while  it  is 
being  marked  the  pointer  to  it  will  be  utilized  to  store  the  previous  stack,  the  cell  itself 
then  becomes  the  current  stack, 

ElO  -  The  left  hand  side  is  atomic  or  has  been  visited  before,  now  exploring  the  right  hand 
side. 

ER  -  Exploring  the  right  hand  side  after  having  explored  the  left  hand  side,  which  was 
neither  atomic  nor  already  marked.  If  the  edr  is  not  terminal,  then  while  it  is  being 
marked  the  pointer  to  it  will  be  utilized  to  store  the  previous  stack,  the  cell  itself  then 
becomes  the  current  stack. 
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Mil  -  Both  the  left  and  right  hand  side  are  either  atoms  or  cells  that  were  visited  earlier  in 
the  left  first  scan,  such  cells  are  called  termineil. 

MOl  -  Only  the  right  hand  side  was  terminal. 

MIO  -  Only  the  left  hand  side  was  terminal. 

MOO  -  Neither  the  left  nor  the  right  were  terminal,  and  both  sides  have  been  completely 
investigated. 

In  addition  there  is  a  mark  ALPHA  that  indicates  the  bottom  of  the  stack,  initially  also  the 
top.  A  cell  that  is  marked  either  EL,  ER  or  ElO  resides  on  the  stack,  the  inverted  pointer 
chain.  Marks  may  be  either  atoms  or  cells.  The  crucial  point  is  that  they  must  be  distinct 
from  one  another  and  disjoint  from  the  structure  being  marked.  This  will  be  assumed  in 
the  following. 

The  actual  definitions  of  the  Robson  algorithm  are: 

rmark{s)  *-  if  (otom(8), s,  morAcar(8, ALPHA)) 
marAcar (8, stack)  ♦— 

[mAmarA(8,EL), 
let{tl  a(8)} 

il(termtno/(tl), 

[setm(s,E10),morAcdr(s,8tack)], 

(settt(s,  stack),  marAcor  (tl,s)])] 
marAcdr(s,  stack)  ^ 
let{t2  d(s)} 

±i[terminal{t2) , 

if  8(cg(ER,iii(s)),[sctm(s, MOl),  popstacA(s,  stack)], 
cg(E10,in(8)),[sctm(8,Mll),|>opstacA(8,stack)]) 

(actd(s,  stack),  morAcor(t2,8)|) 

popstacA(8, stack)  •*— 

if  (cj(stack,  ALPHA) , 

s, 

let{tl  a(8tack),t2  d(stack)}, 
if  s(eg(EL,m  (stack)), 

[5etm(stack,ER),scto(stack,8),morAcdr(stack,tl)], 

c5(ER,m(stack)), 

[sefm(stack,M00),setrf(stack,s),popstacA(stack,t2)], 
cg(E10,  m(stack)), 

[setm(stack,M10),fietd(stack,8),popstocA(stack,t2)])) 


26 


§6 


The  program  as  written  above  is  a  tail  recursive  definition,  which  uses  the  abstract 
syntax 


m,a,d,seta,8etd,  mkmark , aetm ,  marked ,  terminal 


The  function  mkmark  does  the  job  of  allocating  the  new  cell  and  placing  the  contents  of 
the  original  cell  in  it,  altering  the  original  so  that  its  car  contains  the  appropriate  mark  and 
its  cdr  the  new  cell,  a  and  d  then  access  the  old  car  and  cdr,  while  seta  and  aetd  update 
them,  aetm  just  replaces  the  mark  without  allocating  any  new  cells,  rriarked  determines 
whether  the  cell  is  marked  and  m  returns  the  mark,  terminal  just  checks  whether  a  cell  is 
terminal,  namely  whether  it  is  an  atom  or  an  already  marked  cell. 

To  be  explicit  we  have  the  following  definitions  of  these  functions. 


m(l)  +—  car(l) 
o(l)  car{cdr{l)) 
d(l)  -t—  cdr[cdr[l)) 

mkmark{l,m)  ^  let{t2-<-  car(l)}[fp/aca(l,m),  rp/acd(l, C(jns(t2, cdr(l)))] 
«ctm(l,m)  •(—  rp/aca(l,m) 
scta(l,x)  rp/aca(cdr(l),x) 
setd(l,x)  rp/ocd(cdr(l),x) 

marked{l)  ^  mem?(cor(l),(ER,EL,E10,MH,M01,M10,M00)) 
terminal{l)  OT(atom{l),marked{l)) 


The  final  product  of  this  program  will  be  specified  in  more  detail  later,  for  now  the 
following  is  sufiicient.  After  rmark-ing  an  S-expression,  all  cells  accessible  from  the  S- 
expression  have  been  destructively  altered  so  that  their  car  contains  a  mark  and  their  cdr 
points  to  a  new  cell  that  contains  the  original  contents.  In  other  words  if  rmark{l) ;//  »  v\ti* 
then  for  /,  G  Cells^(/)  we  have 

cor(/,)  ;  //  »  Va  ;  /i  A  a(/,)  fi*  '>  fi*  and  cdr(/<)  ;  /i  »  vj  ;  A  d(/<)  ;  ;  M* • 

Definition  of  (Z  ;  (Z  ;  We  write  (Z ;  fi)^  to  denote  the  value  of  a(Z)  ;  /i,  (Z ;  ix)^ 

that  of  d(l)  ;  fx,  and  (Z  ;  fx)m  that  of  m(Z)  ;  fx.  Thus,  given  the  above  interpretation  of  the 
abstract  syntax,  when  a,d  oi  m  appears  as  the  argument  to  (Z ;  fx)  it  can  simply  be  taken 
to  denote  10,  11  or  0  respectively.  Often  when  fx  is  fixed  by  some  context  we  simply  write 
Va  and  Vd  leaving  ^x  as  understood. 

Aside:  As  an  aside  we  describe  a  memory  structure  over  which  we  can  model  the  usual 

low  level  implementation  of  a  marking  algorithm,  such  as  is  used  in  mark  and  sweep  garbage 
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collection.  In  this  version  we  work  over  a  memory  structure  that  one  obtains  by  adding  a 
luark  bit  to  a  cell)  short. 

Om.exp  =  ®«®p  C  {Tn,8etm,mkmark} 

Over  this  structure  car  and  cdr  access  the  second  and  third  elements  and  m  returns  the 
first,  cons  returns  a  new  label  with  the  mark  bit  set  initially  to  a  default  value  NIL.  setm 
and  mkmark  simply  update  the  first  bit  and  rplacx  updates  the  cxr  part  for  x  G  {a,d}.  In 
this  version  of  the  program  the  result  of  marking  v  ;  fx  leaves  the  car^cdr  structure  of  v  j  /x 
unchanged,  the  only  modification  is  that  the  mark  bits  in  the  structure  now  contain  the 
appropriate  information  concerning  the  left-first  spanning  tree.  Using  the  above  notation 
we  have  that  in  this  version 


/^(O  —  [(^  5  (J  > 

We  now  return  to  the  subject  at  hand.  Here  and  elsewhere  we  shall  make  a  habit  of 
ignoring  the  value  returned  by  mkmark y  seta^  and  setd,  treating  them  as  being  analogous 
to  setcar  and  setcdr.  This  should  not  cause  confusion  since  none  of  the  programs  in  this 
paper  will  ever  make  use  of  the  value  returned  by  such  an  operation.  The  following  are  the 
properties  of  the  abstract  syntax  that  are  required  in  the  proof.  For  expositiory  purposes 
we  give  them  names. 

Cancellation:  For  x  G  {a,  d}  and  I  ;  /x  marked  we  have 

3etx{lyV2  ]setx{lyVi  ;/x))  =  setx{lyV2  ;m) 


and 


setm{lyV2  ;  mkmark{lyVi  ;/x))  =  mkmark{lyV2  ; /x) 


Absorption:  If  x  G  {a,  d,  m}  and  v  —  /x)*  then  setx{ly  v  ;  /x)  ~  /x. 

Commutativity:  If  x,  y  G  {a,d,  m}  with  x  ^  y  when  I  I*  y  I J*  are  both  marked,  and 

neither  (/ ;  /x)i  =  /*  nor  (/*  ;  /x)i  =  I  then 

s€tx{ly  V  ;  sety{r ,  v*  ;  /x))  =  8ety{l* ,  v*  ;  setx{ly  v  ;  /x)). 


Access:  Finally  for  x  G.{a,d,  m}  and  I  marked  we  have 

x{l)  ;  8etx{lyV  ;  /x)  »  i; ;  8etx{ly  v  ;  /x) 

and  when  I  is  not  marked 

m{l)  ;  mkmark  {I  y  t; ;  /x)  »  v  ;  mkmark{ly  v  ;  /x) 
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6.2.  Methods  of  recursion  and  proof 

We  now  commence  with  the  preliminaries  that  are  required  to  prove  the  correctness  of 
the  Robson  marking  and  copying  algorithms.  We  first  define  the  notion  of  a  spanning  tree 
of  a  graph.  The  idea  here  being  that  to  define  a  function  recursively  on  a  graph  one  must 
choose  a  path  and  an  order  in  which  to  visit  the  cells,  and  to  prevent  looping  one  must 
have  some  means  of  knowing  when  to  stop.  The  first  problem  gives  rise  to  spanning  trees 
whilst  the  second  is  handled,  as  we  have  already  mentioned,  by  modifying  the  cells  as  we 
visit  them  so  that  we  can  recognize  an  already  visited  cell  when  we  see  one.  Of  course  these 
two  problems  are  not  unrelated. 

In  the  correctness  proofs,  of  both  the  copying  and  marking  algorithms,  the  essential 
idea  is  the  same.  We  define  a  memory  transformation  recursively,  which  under  certain 
natural  pre-conditions  corresponds  to  the  result  of  a  simple  recursively  defined  function 
in  our  computation  theory.  These  simple  programs  are  quite  inefficient  in  the  sense  that 
they  are  not  tail  recursive  and  use  up  stack  proportional  to  the  size  of  their  argument. 
They  do  however  have  the  advantage  that  they  are  very  easy  to  to  understand.  We  then 
prove,  again  under  natural  pre-conditions,  that  the  simple  recursive  program  computes 
the  same  partial  function  eis  its  pointer  reversing  counterpart.  This  is  done  by  using  the 
transformation  mentioned  above.  These  pointer  reversing  programs  consist  of  a  set  of 
mutually  tail  recursive  functions  and  thus  use  no  stack.  We  should  emphasize  that  we  have 
included  the  simple  recursive  versions  purely  for  motivation.  They  are  in  no  way  logically 
necessary  for  the  actual  proofs. 

All  proofs,  not  surprisingly,  are  by  induction.  Consequently  we  must  find  some  measure 
which  gets  smaller  as  the  program  progresses.  It  is  here  that  the  TC  construction,  of  section 
4,  comes  in  handy.  In  both  cases  we  can  use  a  variant  of  TC  to  define  a  type  of  subset,  of 
Cells^,  that  measures  the  progress  of  the  algorithms. 

6.3.  Spanning  trees 

For  / ,  //  G  Macajp  we  say  that  wY  is  a  connected  subset  of  Cell8^(/)  if  X  is  the  image  of 
a  subtree  of  T  under  the  map  (/;//).  So,  for  example,  subsets  defined  by  the  TC  operation 
are  connected.  For  JT,  a  connected  subset  of  Cells^(/),  we  define  a  spanning  tree  for  X  at 
/ ;  //  to  be  a  set  5  C  T  having  the  following  properties 

1.  (Vi;  G  X)(3!<7  G  5)(/  ;/i)^  =  v,  and 

2.  5  is  a  subtree  of  T. 

For  convenience  we  say  that  a  cell  is  left  (right)  terminal  with  respect  to  a  spanning  tree 
S  (at  /;//)  if  3<7  G  S  /»  =  but  a  oO  (cr  ol)  is  not  an  element  of  S'.  For  example  in  the 

Robson  marking  algorithm  we  use  terminal  to  mean  terminal  with  respect  to  the  left-first 
spanning  tree.  There  are  various  well  known  spanning  trees  for  graphs,  [A].  We  shall  be 
using  the  left-first  spanning  tree  in  this  paper.  The  left-first  spanning  tree  of  Cells^(t;)  can 
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be  defined  m  follows.  For  I  €  Cells^(t;)  the  function  Left„;^:[Cell8^(t;)  -v  T]  chooses  the 
least  path  in  /x  from  v  to  I  with  respect  to  the  Brouwer-Kleene  ordering  (^). 

left „;;*(/)=  =/ A  Vcro((v;/i)<,o  =Z  ^  <7  :<  (To)- 

The  left  first  spanning  tree  of  ;  /u  is  then  the  image  of  Left„;^  and  is  denoted  by  A„.^. 

A„  =  {Left„;^(/)M  e  Cells^(u)} 

df 

Now  given  that  S  is  a  spanning  tree  for  X  at  /  ;  /i  and  /q  €  X,  we  say  that  li  lies  below  Iq 
in  S  if  3(70, e  T  such  that 

1.  (7o,(7i  e  S 

2.  (/ ;  for  ie2,  and 

3.  (To  <  (Ti  in  T. 

Similarly  we  can  talk  about  Iq  being  above,  to  the  left,  or  to  the  right  of  in  S,  We  also 
put 

5(/q)  =  {/i  I  lies  below  Iq  in  5}. 

Observe  that  S{lo)  Q  X  and  that  if  li  lies  below  Iq  in  S  then  S{li)  Q  S{lo)  with  equality 
holding  only  when  Iq  =li, 

6.4.  The  reciirsive  Robson  marking  program  and  transformation 

We  now  define  the  simple  recursive  program  recirmark^  a  straight  forward  left- first 
recursive  marking  algorithm.  Thus  fecimark  traverses  the  graph  by  following  the  left-first 
spanning  tree.  A,  in  the  Brouwer-Kleene  ordering. 

rec:rmark{s)  ^  if  (ai(?m(s),s,  [rccrrmarii  (s),s]) 
rec:rmarkl{s)  ^ 

[mAmarA;(s,EL), 
if  (icrmina/(a(s)), 
if(  terminal{d{B))^ 

5e^m(s,Mll), 

[5eim(s,M10),  rec:rmarkl  (d(s))]) 

[rcc :  rmorA:i  (  o  (s) ) , 
if  (^ermma/(d(s)), 

«cim(s,M10)5 

[5eim(s,M00),  rec:rmarkl{d{s))])])] 

The  set  that  we  use  induction  on  to  prove  properties  of  recimark  and  of  its  pointer 
reversa/ counterpart  is  Unmarked^ (/).  It  consists  of  all  those  cells  that  are  unmarked  and 
are  reachable  from  I  via  paths  through  unmarked  cells. To  be  precise: 
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Definition  of  Unmarked^  (/); 

Uninarked;i{/)  =  TC(Z ; 

df 


where  ;  /i)  iff  i;  €  A  or  ;  /i),  and  ;  fi)  iff  mark€d{v)  ;  ^  »  T  ;  /i. 

The  transformation  on  memory  objects  that  we  use  to  prove  that  rmark  and  recirmark 
agree  can  now  be  defined.  We  first  state  some  assumptions  that  are  needed  to  ensure  that 
the  transformation  is  well-defined.  Since  we  will  often  make  use  of  these  assumptions  we 
give  them  a  name,  RM  condition. 

RM  condition:  A  is  the  left  first  spanning  tree  for  Unmarked^(/)  at  /;/z,  I*  ;/i*  is  such 
that  I*  E  Unmarked^ (/),  and  fj,*  =  fx  on  all  cells,  including  /*,  that  lie  below  I*  in  A. 

Definition  of  RM:  We  define  the  transformation  RM^.  (/*)  on  memories  recursively  as 
follows: 


RM^^.{r)  = 


< 


mkmark{l*  ,U11  m*) 
^'■^mfcmorfc  {1‘  .MOl  )  (^o  ) 


if  I*  is  both  left  and  right  terminal  w.r.t  A 
if  I*  is  right  but  not  left  terminal  w.r.t  A. 
if  I*  is  left  but  not  right  terminal  w.r.t  A. 
if  I*  is  neither  left  nor  right  terminal  w.r.t  A. 


where  n**  =  mkmark{l*  ,M00  ;  //*)  and  /*  =  (Z*  ;  //*)*  for  x  G  {a,  d}.  We  have  the  following 
simple  properties  of  RM^-  (Z*  ) 

Proposition  5:  If  A  is  the  left  first  spanning  tree  for  Unmarked^(Z)  and  Z* ;  fi*  satisfies 
the  RM  condition,  then 

1.  RM^.  (Z*)  agrees  with  ji*  on  all  locations  not  in  Unmarked^ (Z*) 

2  (Zj  ;  RM^. (Z*))o  =  {li  •,h*)q  if  U  G  Unmarked^(Z*) 

(Zj  ;RM^-(Z*))<i  =  {li  if  Z,-  G  Unmarked^(Z* ) 

3.  If  Zi  lies  below  Z*  in  A  then 


(Z,  ;RM^.(Z*)),,= 


MOO  li  is  neither  left  nor  right  terminal  w.r.t  A 
MOl  li  is  right  but  not  left  terminal  w.r.t  A 
MIO  li  is  left  but  not  right  terminal  w.r.t  A 
Mil  li  is  both  left  and  right  terminal  w.r.t  A 


Proof  of  proposition  5:  This  is  by  induction  on  |A(Z*)|. 

Base  case:  |A(Z*)|  =  1,  in  this  C3ise  we  know  that  Z*  is  both  left  and  right  terminal  in  A. 
Consequently  RM^.(Z*)  =  mkmark{l* ;/i*)  and  1,  2  and  3  clearly  hold.  Dbase  case 

Induction  step:  |A(Z*)|  >  1.  There  are  three  cases  to  consider,  we  shall  only  do  the 

case  when  Z*  is  neither  left  nor  right  terminal;  the  other  two  cases  being  somewhat  simpler 


§6 


The  Correctness  of  the  Robson  Marking  algorithm. 


31 


versions  of  the  same  argument.  So  assuming  that  I*  is  neither  left  nor  right  terminal  with 
respect  to  A  we  have 

where  fj.**  =  mkmark{l* ,U00  \fi*)  eind  /*  =  (/*  ;M*)a  ^  ^  {a,d}. 

Now  ;  M**  satisfies  |A(/:)1  <  |A(/*)1  and  using  the  fact  that  =  m*  on  A(1‘)  we  have 
putting 

that  fia  satisfies  1,  2,  and  3  on  Unmarked^ (/;),  by  the  induction  hypothesis.  And  again 
since  |A(/5)1  <  1A(1*)|  and  the  fact  that  A(/*)  n  A(Z5)  =  0  we  have  that  =  n  on  A(/^)  so 
the  induction  hypothesis  allows  us  to  conclude  that 


satisfies  1,  2,  and  3.  A  simple  argument  puts  these  together  to  show  that  fi^  satisfies  1,  2, 
and  3  on  {I*  }  ©  A(/*)  ©  A(Z^) 

^proposition  5 

A  further  useful  fact  is  the  following,  the  proof  of  which  is  a  simple  induction  on  |A(Z*)|. 

Commutativity  lemma  for  (/*  )j  If  I*  ;/i*  satisfies  the  hypothesis  of  the  definition 

of  RM^-(Z*)  and  F  is  a  memory  operation  of  the  form  A/it.  setx{lk,v,(i)  where  x  €  {m,o,  d} 
and  Ik  ^  Unmarked^*  (/* )  then 

r(RM^.(r))  =  RMr(;..)(Z*) 

The  fact  that  this  transformation  RM  is  indeed  what  is  computed  by  rec’.rmark  is  verified 
by  the  following  theorem,  the  proof  of  which  we  leave  as  an  exercise  since  it  is  much  simpler 
than  the  one  that  follows  it. 

Theorem  5;  If  Z ;  €  M,ea:p  and  A  is  the  left  first  spanning  tree  for  Unmarked^(Z)  at 

Z ;  fx  then 

rec:rmark{l)  I ;  RM^(0 


6.5*  The  Main  marking  theorem 

Using  the  concepts  defined  above  we  can  formulate  the  main  theorem  of  this  section 
as  follows. 

Theorem  6;  If  / ;  /i  G  Msexp  and  A  is  the  left  first  spanning  tree  for  Unmarked^ (/)  at 
I  ;  /i  then 

rmark{l)  ;  /f  »  Z ;  RM^(Z) 

Theorem  6  follows  from  the  following  lemma. 
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Main  Lemma:  If  /q  ;  /io  €  M^^xp  is  such  that 

1.  Iq  €  Unmarked^(;) 

2.  Mo  =  Unmarked^o(Zo) 

3.  No  cell  below  Iq  in  the  spanning  tree  A  is  marked  in  mo 

4.  All  cells  above  and  to  the  left  of  Iq  in  A  are  marked  in  mo  ■ 


then 


markear{lQ,v)  ;  mo  »  popstack{lQ,v)  ;RM^o(Zo) 


Proof  of  the  main  lemma:  This  is  by  induction  on  |Unmarked^o(Zo)|. 

Base  case:  |Unmarked^o(Zo)|  =  1.  In  this  case  both  {Iq  ;  mo)o  and  {Iq  ;  mo)i  are  either 
marked  or  atomic,  by  conditions  2.  and  3.  this  means  that  Iq  is  both  left  and  right  terminal 
w.r.t  A.  Now 

markcar{lo,v)  ;mo  »  markcdr{lQ,v)  ;mi 


where  mi  =  8etm{lQ,E10  ;  mkmark{lQ,EL  ;  mo))  =  mkmark{lQ ,E10  ;  mo)  by  cancellation, 
furthermore 


markcdr{lQ,v)  ; /ii  2>  popstack{lo,v)  ;/X2 


where  /i2  —  setm(Zo,Mll  ;mi)  =  mkmark{lQ,mi  ;  Mo)  =  E-M^o(Zo),  again  by  cancellation. 

^Base  case 


Induction  step:  Suppose  that  the  lemma  is  true  for  memory  objects  of  less  rank  than 
jUnmarked^g  (/o)|  >  1.  We  split  this  part  of  the  proof  into  three  cases.  For  convenience 
we  will  let  and  be  {Iq  ;  mo)o  and  {Iq  ;  Mo)i  respectively. 

Case  1.  ^T{va  ;Mo)  A  ;mo) 

Case  2.  ;mo)  A  ;mo) 

Case  3.  ;mo)  A  ;mo) 

Case  1;  In  this  case  we  know  that  Iq  is  left  terminal.  We  also  know  that  vj  e  L.  So 


markcar{lQ,v)  ;mo  ^  markcdr{lQ,v)  ;  Mi 

where  /ii  =  fnkmar k {Iq ,E10 ] ^iq)  now  if  =  Iq  then  Iq  is  in  fact  both  left  and  right  terminal 
and  in  this  case 

markcdr{lQ,v)  ;mi  »  popstack{lQ,v)  ;m2 

where  M2  =  sctm(Zo,Mll  ;mi)  =  mA:marl:(/o,Mll;Mo)  =  by  cancellation.  Suppose 

that  Vi  #  Zo.  which  by  the  conditions  of  the  lemma  means  that  Iq  is  left  but  not  right 
terminal  w.r.t  A,  then 


markcdr{lQ,v)  ;  mi  ^  markcar{vi,lQ)  ;  M2 
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where  /i2  =  8etd{lo,v  ;  Hi).  It  is  a  simple  t2isk  to  show  that  ;/Z2  satisfies  the  conditions 
of  the  lemma  and  that  |Unmarked^j(v<j)l  <  lUnmarked^o(/o)l.  By  induction 

markcar{vi,lo)  i  M2  ^  popstack{vd,lo)  Ms 

where  /is  =  As  Iq  ^  Unmarked^j(i;d)  we  know  that  Iq  is  not  altered  in  the 

transition  from  /i2  to  113 .  Thus 

popstack{v4,lo)  ;M3  ^  pop8tack{lo,v)  ;/i4 

where  =  setd{lo,V4  ;  sctm(/o,M10  ; /is))  By  the  commutativity  lemma  we  have 

setd{lQ,V4  ;  Setm(/o,M10  ;  RM^Jv^)))  =  RM,etd(Jo,t;4;»etm(Jo,M10;^a))  (vd) 


where 

aetd{lo,Vd  ;  «ctm(/o,M10  ;/i2))  =  setd{lo,Vd  ;  sctm(Zo,M10 ;  aetd{lo,v,  mkmark{lo,E\0  ;no)))) 

but  by  cancellation  and  absorption  this  is  just  mkmark{lo,VllO;fio)  and  thus  (14  —  RM^g(Zo)* 
Cease  1 

Case  2:  In  this  case  we  know  that  Iq  is  right  terminal  w.r.t  A.  We  have  two  possibilities 
either  Va  =  lo  V  Va  ^  Iq-  If  ^0  then  Iq  is  both  left  and  right  terminal  and 

markcar{lo,v)  ;/io  ^  markcdr{lo,v)  ; /ii 

where  m  =  mkmarkQo ,^10  ;/io)-  Since  Vd  is  either  marked  or  atomic 

markcdr{lo,v)  ; /ii  >  popatack{lo,v)  ;/U2 

where  H2  =  aetm{lo,Ull  ;  Mi)  =  mA:morA:(Zo,Mll  ;  /xq)  =  RM^o(Zo)- 
U  Va  ^Iq  then 

markcar{lo,v)  ;/xo  >  markcar{va,lQ)  ;Mi 
where  /xi  =  aeta{lo,v  ;  mkmark{lo ,EL  ;  hq)).  Now  by  the  induction  hypothesis 

markcar{va,lQ)  ;  Mi  ^  popstack[va,lo)  ]  M2 

where  /X2  =  RM^,(vo).  As  Iq  ^  Unmarked^i(i;<i),  its  contents  remains  unchanged  during 
this  transition,  consequently 

popatack{va,lQ) ;  M2  ^  markcdr{lo,v) ;  /X3 

where  /X3  =  aeta{lo,Va  ;  setm(Zo,ER  ;  H2)).  Finally  since  Vd  is  atomic  or  marked  in  /xq  and 
consequently  remains  so  in  /X3  we  have 

markcdr{loyv)  ; /X3  »  popatack{lo,v)  ;/i4 
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where  /Z4  =  aetm{lo ,U01  ;M3)-  Now 

fi4  =  setm{lo,U01  ;  seta{lo,Va  ;  sefm(/o,ER  ;  RM^j(va)))). 

By  the  commutativity  lemma  we  have  /Z4  =  RM^.(t;a)  where 

fi*  =  seim(/o,M01  ]  seta{lo,Va  setm{lQ,EB. ;  seta[lo,v  ;  mkmark{lo, EL  ;  hq))))) 
which  by  cancellation,  commutativity  and  absorption  reduces  to  mkmark{lo,U01  ;  /iq)  and 

so  fi4  =  R^4^p(/o)-  Dcase  2 

Case  3:  In  this  case  neither  Va  nor  vj  is  atomic  or  marked,  however  there  are  several 
possibilities  (i)  Iq  ^  Va  ^  Vd  ^  Iq,  (ii)  Iq  =  Va  =  Vd  (iii)  /q  #  Va  =  Vd  (iv)  lo  =  ^  Vd,  and 

(v)  lo=Vd^  Va. 

The  last  four  cases  all  reduce  to  ones  already  considered  so  we  leave  them  to  the 
suspicious  reader  to  verify.  In  the  first  case  we  have 

markcar(lo,v)  ;/xo  ^  tnarkcar{va,lo)  iMi 

where  fxi  =  seta{lo,v  ;  mkmark{lo,EL  ;  Ho)).  Now  by  the  induction  hypothesis  we  have 

markcar{va,lo)  ; /ii  »  popstack{va,lo)  ;M2 
where  fX2  =  RM^j(?;a).  And  as  Iq  ^  Unmarked^j 

popstack{va,lo)  ;/^2  ^  markcdr{lo,v)  ;  ^3 

where  /13  =  seta{lo,Va  ;  setm(/o,ER  ;  //a))-  Now,  if  Vd  is  marked  in  fis  then  it  must  occur 
below  Va  in  the  spanning  tree,  in  which  case  /q  is  right  but  not  left  terminal.  Given  that  Vd 
is  marked  in  ^,3  we  have  that 

markcdr{lQ,v)  ; /X3  »  popstack{lo,v)  ■,1x4 


where  H4  =  setm(Zo,M01  ;fi3)  and,  just  as  in  case  2,  fi4  =  RM^3(/o).  So  suppose  that  Vd  is 
not  marked  in  ^3 .  In  other  words  suppose  that  Iq  is  neither  left  nor  right  terminal.  Then 

markcdr{lo,v)  ;  /i3  »  markcar{vd,lo)  M4 

where  fi4  =  setd{lo,v,fj,3).  Consequently  using  the  induction  hypothesis  again  we  have  that 

markcar{vd,lQ)  ;  (14  »  popstack{vd,lo)  ;  Ms 

where  =  RM^^(U(i).  As  Iq  is  not  altered  in  the  transition  from  fj,4  to  we  have 

popstack{vd,lo)  ;ms  ^  popstack{lo,v)  -,113 
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where  fiQ  =  setdQo,V4  ;  setm[lo,MOO  Now 

IJ.4  =setd{lo,v  ;  seta{lo,Va  ;  setm(lo,ER  ;  RM^i(va)))) 

and 

/xg  =  setd{lo,Vd  ;  sctm(/o,MOO  ;  RM^^(vd))) 
so  by  the  commutativity  lemma 

/ig  =  =  RM^+(Vd) 

where 

H+  =  setd{lo,Vd  ;  sctm(Zo,MOO  ;  8etd{lo,v  ;  8eta{lo,Va  ;  sc«m(/o,ER  ;  RM^i(va)))))). 
Using  the  commutativity  lemma  again  this  becomes 
/x"*"  —  RM,et(X(Jo  , v4;«etm(Jo . M00;»et<i(Io  , ,tia;<et«»(Jo,ER;*eXo(Io,«;mfcmorA:(Jo,EL;Mo )))))))  (^a) 
which  by  cancellation,  commutativity  and  absorption  is  just  RNl,nfcmarfc(Xo>NOO;;<o)(^a)  Thus 

/Xg  =  RM^o(Zo)-  Oca  se  8 
I^main  lemma 


7.  The  Correctness  of  the  Robson  copy  algorithm. 

In  this  section  we  prove  the  correctness  of  the  Robson  copying  algorithm.  The  section 
is  structurally  similar  to  the  previous  one.  In  7.1  we  define  a  simple  recursive  program, 
which  describes  the  same  function  as  the  Robson  copying  algorithm,  its  pointer  reversal 
counterpart.  In  7.2  we  introduce  some  notation  and  define  the  set  upon  which  we  shall 
perform  induction.  Then  in  7.3  we  introduce  the  transformation  by  which  we  prove  the 
equivalence  of  our  two  copying  programs.  In  7.4  we  introduce  the  actual  Robson  algorithm 
and  finally  in  7.5  we  prove  its  correctness. 

7.1,  The  Recursive  version  of  the  copy  algorithm. 

The  following  program  is  a  recursive  version  of  the  Robson  algorithm  and  we  shall 
study  it  in  this  section  bls  a  preliminary  to  the  actual  Robson  copy  algorithm.  It  simply 
implements  the  transformation  Peel,  which  will  be  defined  shortly.  We  begin  by  a  discussing 
how  the  program  works.  As  Robson  himself  says  of  his  own  algorithm: 

A  new  algorithm  is  presented  which  copies  cyclic  list  structures  using  bounded 

workspace  and  linear  time  .  The  distinctive  feature  of  this  algorithm  is  a 

technique  for  traversing  the  structure  twice,  using  the  same  spanning  tree  in  each 
case,  first  from  left  to  right  and  then  from  right  to  left. 
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Our  simple  recursive  version  uses  much  the  same  technique,  the  only  diflFerence  is  that  since 
our  version  is  not  tail  recursive  we  cannot  claim  to  use  only  bounded  workspace.  With 
respect  to  the  traversals  at  least  we  have  made  our  job  somewhat  easier.  The  first  traversal 
of  the  structure  corresponds  precisely  to  the  algorithm  that  we  have  called  the  Robson 
marking  algorithm.  Consequently  we  need  now  only  describe  the  second  traversal,  best 
described  as  a  peeling  operation. 

Recall  that  after  the  first  traversal  each  cell  is  allocated  a  new  cell,  which  we  shall 
call  its  image.  The  original  cell  is  modified  so  that  its  car  part  contains  a  mark  denoting 
its  place  in  the  left-first  spanning  tree,  while  its  cdr  part  contains  its  image.  The  image 
in  turn  contains  the  cells  original  contents.  Consequently  each  original  cell  now  contains 
two  more  pieces  of  information,  namely  whether  its  car  or  cdr  is  terminal  in  the  Brouwer- 
Kleene  ordering  of  the  left-first  spanning  tree.  This  information  allows  the  second  traversal 
to  use  the  same  spanning  tree,  in  the  reverse  order,  without  further  marking.  The  crucial 
observation  is  that  since  the  decision  to  follow  a  pointer  depends  on  the  mark  in  the  cell 
containing  it,  rather  than  upon  the  cell  pointed  to,  this  traversal  can  remove  the  marks  £is 
it  uses  them.  Furthermore  since  the  image  cell  which  is  used  together  with  the  original  cell 
to  store  the  mark  and  the  original  contents,  is  no  longer  required,  this  cell  can  be  recycled 
and  used  as  the  corresponding  cell  in  the  copy.  This  storage  optimization  is  similar  in  spirit 
to  that  done  recently  in  the  study  of  tail  recursion  up  to  a  cons^  see  for  example  [W]. 

rec:copy{l)  ^ 
if  (aiom(l), 

1, 

[rmarA:(l),let{tl  crfr(l)}[rcc:pec/(l),tl]]) 
fcc:pee/(oldcel)  ^ 

let{newcel  C(fr(oldcel)} 
let  {  newcar  amaje  ( car  (newc  el)), 
newcdr  «ma^?c(cdr(newcel)), 
oldcar  car(newcel), 
oldcdr  cdr (newcel)} 

[if  8(eg(M00,  m(oldcel)),[rec:pcc/(oldcdr),  rcc:pee/(oldcar)], 
cg(M01 ,  m  (oldcel)) ,  rec:peel{oldc  ar) , 

(MIO,  m  (oldcel)) ,  rcc  :pcc^(oldcdr) , 
cg(Mll,m(oldcel)),NIL), 
rp/aca(oldcel,  oldcar), 
rp/acd{oldc  el,  oldcdr), 
rp/aca(newc  el,  newcar), 
rpZacd(newcel,newcdr)] 
ima^e(l)  ^  if  (aZom(l),l,  cdr(l)) 
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We  now  set  about  developing  some  concepts  that  enable  us  to  prove  the  correctness  of  this 
as  well  as  of  the  Robson  algorithm. 

7.2.  Some  additional  concepts  and  notation. 

In  this  section  we  abide  by  the  following  important  notational  assumptions.  They  cor¬ 
respond  to  the  following  scenario:  we  begin  with  a  memory  object  Iq  ;  fio  with  Cells^o  (M  = 
such  that  none  of  these  cells  are  marked.  Thus 

Unmarked^o(/o)  =  Cell8^o(/o)- 

For  convenience  we  let  the  car  of  /» ;/io  be  Via  the  cdr  be  in  other  words  (/*•  ;/xo)o  —  ^»a 
and  (/,•  ]  Ho) i  =  Vid-  We  then  apply  the  Robson  marking  algorithm  to  Iq  ;  Ho  and  so  obtain 
Iq  ;  H  where 

rmarA:(lo) ;  ^  ^0  ;  M  =  ^0  ; 

Each  cell  k  for  t  G  r  4- 1  is  allocated  a  new  cell,  which  we  call  its  image.  We  denote  the 
image  of  the  cell  U  €  Cell8^o(/o)  by  IJ*".  Since  we  shall  make  use  of  these  assumptions  over 
and  over  again  we  save  time  and  give  them  a  name 

'  0.  Iq  ;  Ho  ^  Mgeap  is  such  that  no  cell  in  Cells^(/o)  is  marked. 

1.  A  is  the  left  first  spanning  tree  of  Umnarked^g(/o)  at  Iq  \ho- 

A  {2.  H  =  ^U^o). 

I  3.  Cells^o(/o)  =  {^0  5 

[  4.  (/< ;  Ho)o  =  na  and  {U  •,Ho)i  =  for  i  G  r  +  1. 

The  following  proposition  is  a  consequence  of  our  notation. 

Proposition  6;  6^  =  U  {/ ,  . . . ,  }  where 

1.  ip  /  ip  ^  5^0  for  i,j  er+1  and  »  #  j 

2.  image{li) ;  h  ^  tH  for  i  G  r  +  1 

3.  cor(ij) ;  /i  »  V  ;  /i  where  v  G  {MOO,  MOl,  MIO,  Mil}  for  i  G  r  +  1 

4.  (ii  ;Mo)o  =  ;m)o  =  and  {li\Ho)i  =  {h]H)d  =  Vid  for  i  G  r  +  1. 

For  convenience  we  let 

{V  if  V  G  fl 

V  if  vGL  but  {io,  ...,ir} 
if  V  =  li  A  i  G  r  +  1 

The  main  theorem  concerning  the  recursive  algorithm  is: 

Theorem  7:  If  io>  Hoi  and  h  are  as  in  A  then 


ree:copy{lo)  \ho'>Iq\H\ 
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such  that 

1.  Iq  —lo]  fii 

1.  fii  {li)  =  ^o(^»)  for  t  e  r  +  1 

1-  or)  =  [(Via)’"®’'  for  ier  +  1 

We  now  turn  to  defining  the  set  upon  which  induction  will  be  carried  out.  In  this  case  since 
the  structures  that  we  are  working  on  have  a  special  form,  car-cdr  chains  through  cells 
having  a  certain  property  are  no  longer  appropriate.  What  we  actually  are  interested  in 
now  is  a-d  chains  in  the  sense  of  the  abstract  syntax  of  the  previous  section.  For  this  reason 
we  define  in  exactly  the  same  way  as  TC  except  that  0  is  replaced  everywhere  by 

a  and  1  by  d.  To  be  precise: 

Definition:  (v  ;  ,  ^d)  is  the  smallest  set  X  such  that 

1.  If  ;  jj)  then  v  €  X 

2.  If  /  €  X  and  ;  fi)  then  (/ ;  fi)a  €  X 

3.  If  /  G  -Y  and  ;  n)  then  (/  \n)i€.X 

The  reader  is  reminded  that  the  definition  of  (/ ;  p)*  and  (Z ;  can  be  found  in  6.1. 

Definition  of  Tree^(v):  Suppose  that  /x*  is  some  memory,  it  will  usually  be  related  to 
H  but  we  do  not  require  it,  then  define 


Tree^(i;)  = 


where  ^a{v\  fi)  ^  (v  ;  At)m  €  {MOO,  MOl},  m)  ^  (v  ;  M)m  e  {MOO,  MIO},  and 

;  p)  *->■  marked{v)  ;  /a  ^  T ;  /i.  In  other  words 


Tree^{u) 


(<b 

{v} 

i  {v}uTree^(v„) 
{t;}uTree^(vrf) 

I  {v}  U  Tree^  (va)  0  Tree^  (vj) 


V  G  A  V 
if  (v;//«)m  =  Mll 
if  (t;;Ait)m=M01 
if  (v  ;  th)m  =  MIO 
if  (v  i  fkim.  =  MOO 


Notice  that  Tree^(Zi)  =  A(/,)  when  Zj  G  Unmarked^„(Zo),  for  i  G  r  +  1. 

Definition  of  Tree*^(Zi):  Now  if  /i  is  as  in  A  and  Z  G  r  +  1  then  for  convenience  we  let 


TreeV(Z,)  =  Tree^(Z0  ©  {l^  \  Zy  G  Tree^(Z,)} 
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7.3.  The  recursive  transformation  peel. 


We  now  define  the  transformation  that  we  use  to  prove  the  theorems  about  peeling. 
As  in  the  previous  section  we  begin  by  making  explicit  the  assumptions  under  which  we 
make  this  definition.  We  give  them  a  name  so  as  to  refer  to  them  in  the  future. 

Peel  condition:  Suppose  la‘,m  €  Maeap  is  such  that  s  €  r  + 1  and  /x*  =  //  on  Tree*^(/,). 
Furthermore  if  /<  ^  /«  with  respect  to  A  then  {U  ;  /it)i  =  . 

Definition  of  Peel^,(/*):  We  now  define  Peel^,(/,)  a  transformation  from  to 

l^»e®p-  Put 

/i**  =  setcdr{ls,Vad  ;  setcar{l,,v,a  IMt)) 


and 

;  seicar(/r, 


then 


Peel^,  (Za) 


Peelpeei^^a(u,a)(Vaa)  if  (Za  j  Mt)m  =  MOO 

Peel^a<t('Uao)  if  (Za  !  /^t)m  —  MOl 

Peel^.<i(va<j)  if  (Za  ;  A^t)m  =  MIO 

if(Za;Mt)m=Mll 


Theorem  7.  now  follows  from  the  following  two  lemmas. 


Rec:peel  Lemma:  If  Za  ;  fit  satisfies  the  Peel  condition  then 


rec:peel{lg) ;  fit  »  Z’*”  ;  Peel^,(Za) 


Proof  of  Rec’.peel  lemma:  This  is  a  simple  induction  on  |Tree^,(Za)|. 

QRec:peel  lemma 

Peel  Lemma:  If  Za  ;  fit  satisfies  the  Peel  condition  2uid  if  Zj  €  Tree^,  (Za)  then 

1.  Peel^,(Za)  =  fio  on  Tree^,(Za) 

2.  Peel^(Za)(Zr)  =  and 

3.  Peel^,(Za)  =  fit  off  Tree J^(Za). 

Proof  of  Peel  lemma:  This  is  by  induction  on  |Tree^,(Za)|. 

Base  case:  |Tree;*,(Za)l  =  1,  in  this  case  (Za  ;  Mt)m  =  Mil  and  so  by  proposition  5  h  is 
left  and  right  terminal  w.r.t  A.  Now  fit  =  fi  =  B-M^ji(Zo)  on  Tree*  (Za)  =  Tree^(Za)u{Za”‘} 
SO  by  proposition  6 

fitih)  =  [Mll,Z’”‘]  and  Mt(/a"‘)  = 

Then  Peel^(Z8)  =  where  is  as  in  the  definition  of  Peel.  Clearly  has  the  desired 

prop6rti6S.  (IJbase  case 
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Induction  step:  Suppose  |Tree^(/a)|  >  1,  and  the  lemma  holds  for  simpler  cases.  We 
shall  do  the  case  when  ^{l^)  =  [MOO,/*”^],  the  other  two  cases  being  somewhat  simpler.  In 
this  ceise  we  have 

Peel^^(/a)  = 

where  again  is  as  in  the  definition  of  Peel.  Now  observe  that  we  may  apply  the  induction 
hypothesis  to  Vsd-  Thus  by  letting  /i*  =  Peel^a4(?;^d)  we  have 

/i*  =  //o  .  on  Tree^ad{v^d)  =  Tree^^^Ct^ad) 

and 

=  for  /(  €  Tr.0^(«.i). 

Now  again  v,a  ;  M*  satisfies  the  hypothesis  of  the  leinma  and  Tree^(vao)  =  Tree^.(t;ja)  is 
smaller  than  Tree^,  (/,)  so  letting  (if  =  Peel^-(v,o)  we  have  by  the  induction  hypothesis 
that 

tif  =  tiQ  on  Tree^.(v,a) 

and 

=  for  /,€Tree^(u,„). 

Using  the  definition  of  /i"**  and  the  fact  that 

Tree^{/,)  =  {/,}©  Tree^(t;„)  ©  Tree^,(v,d) 

we  can  easily  combine  the  above  to  give  the  result.  Dpeei  lemma 

We  finish  this  section  with  another  important  property  of  Peel^(/a),  which  is  proved 
by  em  easy  induction  on  |Tree^(/a)|. 

Commutativity  Lemma  for  Peel^,(;,):  If  Z,  ;  satisfies  the  Peel  condition  and  T  is 
a  memory  operation  of  the  form  \^.setx{lk,v  \n)  where  x  €  {car,cdr,a,d)  and  Z*,  e  but 
Ik  ^  Tree^(Z,)  then 

r(Peel^(Z,))  =  Peelr(^)(Z,) 

7.4.  The  Robson  Copying  Algorithm 

We  now  present  the  actual  Robson  copying  algorithm,  copy.  This  uses  peel,  a  pointer 
reversing  version  of  our  recipeel  algorithm. 

copy{s)  +-  il(otom(s),s,pccZ(rmorA:(8),ALPHA)) 
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pee/(s,  stack)  -t— 

let{nc  *4-  crfr(s),tl  a(s),t2  <f(s)} 

il  s(eg(MOO,  m(s)),  [seem(s,FOO), 

5e^rf(s,  stack), 
p€e/(t2,s)], 

eg(M01,  m(s)),[5ctm(s, stack), 
sc^a(s,t2), 
seirf(s,image(t2)), 
pce/(tl,s)], 

e^(M10,m(s)),[5cfm(s,F10), 

S6^(f(s,  stack), 
pce/(t2,s)], 
eg(Mll,m(s)),[«eim(s,tl), 

«cia(s,  tmoge(tl)), 
setd{s^  image{t2))^ 
rp/ocrf(s,t2), 
popstack2{s^  stack, nc)]) 
pop5iacA:J?(s, stack, newcel)  ^ 
if  (  cg(stack,  ALPHA) , 
newcel, 

let{nc  crfr(stack),oc  car(stack),tl  a(8tack),t2  rf(stack)} 
ifs(eg(F00,m(stack)),[5etm(stack,t2), 

5e^rf(stack,  newcel), 

5e^a(stack,s), 
pee/(tl,  stack)], 
eg(F10,  m  (stack)),  [seim(stack,tl), 

se^a(stack,  image  (tl)), 

5eirf(stack,  newcel), 
rp/acrf(stack,s), 
popstack  (stack,  t2,  nc )] , 

T,  [rp/acrf(stack,tl), 

setm  (nc ,  ne  wc  e  1) , 
se^fn(stack,s), 
papsiacArS  (stack,  oc,nc)]) 
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The  algorithm  above  uses  the  abstract  syntax  defined  in  6.1,  v/hich  for  ease  of  reading,  we 
repeat  here. 

m(l)  ^  caf(l) 
o(l)  1—  cor(cdr(l)) 
d{l)  cdr(cdr{l)) 

«etm(l,m)  ■<—  rplaca{l,m) 
scta(l,x)  -t—  rplaca{cdr{l),x) 
setd{l,x)  ^  rplacd{cdr{l),x) 
image{l)  •*—  il(otom(l),l,  cdr(l)) 

Where  x  accesses  the  cxr  part  of  the  image  cell  associated  with  I  and  setx  updates  it  for 
X  €  {a,d}.  As  for  the  Robson  marking  algorithm  peel  is  defined  by  a  tail  recursive  system 
of  definitions. 

7.5.  The  Main  copying  theorem. 

The  main  theorem  of  this  section  is 
Theorem  8:  If  /o  ?  Mo  and  fx  are  ets  in  A  then 

copy{lo)  ;  Mo  >  I  Mi 

such  that 

1.  /q  )  Ml  ~  ^0  )  Ml 

2.  (Z^)  =  Mo(^»)  for  ?  G  r  +  1 

3.  Mi(/r)  =  v\X\  for  Z  G  r  +  1 

df 

This  is  a  consequence  of  the  following  lemma. 

Main  Lemma:  If  Z,  ;  /it  satisfies  the  Peel  condition  then 

peel{l,,  v)  ;/it  »  popstack2{lg,  v,  Z*”^)  ;Peel^,(Zs) 

Proof  of  Main  lemma:  This  is  by  induction  on  |Tree^,(Za)|. 

Base  case:  |Tree^, (Z*)]  =  1.  In  this  ceise  (Zg  ;Mt)m  =  MU  and  consequently 


peel{lg,  u)  ;/it  »  popstack2{la,  v,  Z*”^)  ;/i* 
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where,  recalling  the  definition  of  /z**  and  /u®**  from  the  previous  section,  we  have 

"  n**  if  Vea,Veil  €  A 

.  _  I  setcar(l*”^,vi’^  if  €  A  A  Vaa  €  L 

^  ~  ^  setcdrll'J^ ;  /z**)  if  Vsa  ^  A  A  v^d  €.  L 

,  /[z®**  otherwise 

By  the  definition  of  (v)*"*®®*,  in  all  of  the  above  cases  fx*  =  /z®‘*.  Dbase  case 

Induction  step:  |Tree^,(/a)l  >  1.  In  this  case  {le.',(h)m  €  {MOO,  MOl,  MIO}.  Conse¬ 

quently  we  split  this  part  of  the  proof  into  three  cases. 

Case  1:  (/«  ■,^lt)m=  MOO.  Here  we  have 

peel(U,v)  ;  /z*  »  peel{v^d,D  \  Mi 

where  mi  =  8etd{le,v  ;  setcor(/a, FOO  ;Mt))-  Consequently  by  the  induction  hypothesis 

peel{ved,  popstack2{vsd,  h, 

where  H2  =  Peel^j  (wad).  Now  since  Ig  is  unchanged  during  the  transformation  from  fXi  to 
H2  we  have 

popstdckB ^Vgd^  )  >  M2  j  M3 

where  M3  =  aeta{lg,Vgd  ;  8etd{lg,vi”[  ;  setcar{lg,v;fi2)))-  Again  by  our  induction  hypothesis 

peel{vga,  Ig)  ;M3  ':$>  popstack2{vga,  Ig,  f’?)  ;  Mi 

where  /Z4  =  Peel^3(vaa)-  Since  Ig  is  unchanged  we  obtain 

popstack2{vga,  Ig,  VaD  ;  Ml  »  PopstacA:2(/a,v, /•'");  Ms 

where /Z5  =  aetcdr{lg,Vgd‘,setcar[V'J^  \setcar{lg,Vga]p.A)))-  Now  we  show /Z5  =Peel^,(/a). 
Note  that  /Z2  =  Peel^i(vad)  and  mi  =  setd{lg,v,setcar{lg,FOO;pt,t)).  By  the  commutativity 
lemma  M2  =  setd{lg,v  ;  «ctcar(/a,FOO  ;Peel^(vai)))  and  thus 

/Z3  =  seta{lg,Vgd  ;  setd{lg,v*J2  \  setcar{lg,v  ;  setd{lg,v  ;  setcar{lg,FOO  ; Peel^,(t;a<f)))))) 

which  by  cancellation  this  becomes 

/IZ3  =  seta{lg,Vgd  ;  setd{la,v*J2  i  setcar{lg,v  ;Peel^,(va<i)))). 


Now 

Us  =  setcdr{lg,Vgd  ;  setcar{l*g^ ,Vg'^  ;  setcar{lg,Vaa  ;  Peel^3(vao)))) 
which  by  the  commutativity  lemma  becomes 

P®®^»etcdr(l,,w,i;»etcar(Ji’",u'™;»etcor  (l,,v,^;»eta{l,,v,i-,setd(l.,vY^;»etcar{l,,v,Peel,^^  («'.<l)))))))) 
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By  cancellation,  this  becomes 

and  one  more  application  of  the  commutativity  lemma  gives  the  result.  CUcase  i 
Case  2:  (/«  =  MOl.  In  this  situation 

peel{l^,v)  ;  m  »  peel{v,a,l,)  \  Ml 

where 

_  r  seta{ls,v,d  ;  setcar{lg,v  ]  fxt))  if  v^d  S  A 

*  \setd(la,vl^  ;seta{la,Vgd  ;  setcar{lg,v  ;  fit)))  otherwise. 

Now  by  induction 

peel{vaa,  l«);ftl  '>  pop8tack2[Vaa-,  la,  v'^)  \  fl^ 
where  M2  =  Peel^j(v«a)-  Since  /*  is  uncheinged 

popstack2{vaa,  la,  i  M2  »  popstack2 {Ig ,v,l*/^)  ;  fis 

where  /13  =  setcar[lg,Vga  ;  setcarQ^ ;  8etd{lg,Vgd  ;  M2)))- 

We  only  show  that  Ms  =  Peel^,  (/«)  in  the  case  Vgd  E  A,  the  other  ceise  is  not  much 
more  challenging. 

M3  =  setcar{lg,Vga  ;  setcar{r;^ ;  setd{lg,Vgd  ;Peel^^(v,<,)))) 

So  by  the  commutativity  lemma 

=  ^®®^»etcar({,,v,»;4etcar(Ji'",w;";«etd(Z,  ,u,j;m)))  (v«o) 

and  since 

Ml  =  seta{lg,Vgd  ;  setcar{lg,v  ;  fit)) 

we  have 

=  I*®6l»etcar  (J.  ■,aeicar  (!•,"*  ;»et<l  (I,  ;4eto  (J.  .t;,a;«etcor  (i.  ,v  [fit )) ) ) )  (^^«o)  • 

By  cancellation  this  becomes 

^3  —  ,t),a;*etcar(J*"‘ ,uj (v«o) 

and  thus  Ms  =  Peel^,(/^).  Dcase  2 

Case  3:  (/«  ;  Mt)m  =  MIO.  In  this  situation 


peel{lg,v)  ;fit  peel{vgd,lg)  \  fii 
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where  ni  =  8etd{lg,v  ;  8etcar{l,, ¥10  int)).  By  induction 

peel{v,d,  l»)  >  pop8tack2{v,d,  Z«,  u*^)  \p,2 

where  /i2  =  Peel^,  Furthermore 

popstack2  {vgd  5  h,  ;M2  >  popstack2{lg,v,r^)\n^ 


where 

_  f  Sctcdf^l^  J  8€td(Jff  j  SCtCdT^lg  ,  /i2)))  ^  ^ 

\  8eta{lg,v^  ;  8etcdr{l,,Vgd  ;  8etd{l„v\'!^  ;  8etcar{lg,Vga  ;  /:i2))))  otherwise. 

Again  we  only  show  fis  =  Peel^(^a)  in  the  case  G  A.  Here  we  have 

//3  =  5eicrfr(/a,Vad  ;  5eicar(/a , ;M2)))- 

Using  the  commutativity  lemma  and  cancelling  we  obtain 


Qcase  8 

Qmain  lemma 
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